cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
648
Views
0
Helpful
5
Replies

ASA 8.0 - more global IPs not working with DMZ - NAT translation

elkono200
Level 1
Level 1

hi,

i have 16 global IPs - i.e. 80.80.80.112 / 255.255.255.240

ASA IF:

eth0/0 - inside - 10.10.10.2

eth0/1 - outside - 80.80.80.114

eth0/2 - DMZ - 172.16.2.1

eth0/3 - not used

GW Provider: 80.80.80.113

ASA-OUTSIDE-IP: 80.80.80.114 (IP used to surf the Internet from the inside network NAT)

DMZ: 172.16.10.0 /24

DMZ-ASA-IP: 172.16.2.1 /24 (connected to a switch)

DMZ-SERVER-01: 172.16.2.10 (connected to the same switch like ASA)

DMZ-SERVER-02: 172.16.2.11 (connected to the same switch like ASA)

DMZ-SERVER-01 NAT: 80.80.80.115

DMZ-SERVER-01 NAT: 80.80.80.116

this configuration is working fine with PIX515-E, 6.3.

now my problem:

if i replace the pix with the new ASA5520, one of the DMZ Server will not be reached from outside? it seems that the outside interface do not use the whole range from 80.80.80.112/255.255.255.240

sometime works only 80.80.80.115, and sometimes only the .116 from outside if i switch off/on the asa.

has someone any idea, what can it be or what i can do?

NAT DMZ Servers:

static (dmz, outside) 80.80.80.115 172.16.2.10 netmask 255.255.255.255

static (dmz, outside) 80.80.80.116 172.16.2.11 netmask 255.255.255.255

thx

5 Replies 5

husycisco
Level 7
Level 7

Hello Konrad,

Make sure that you permit desired traffic a outside interface ACL destined to 80.80.80.115 and 116. Also enable logging and check syslogs at ASDM (Web interface) when you try to establihs a connection and it fails.

Regards

hi,

the acls are ok, they are the same they i have configured on the pix.

short - acl outside_access_in bind on the outside if:

permit tcp any 80.80.80.115 http

permit tcp any 80.80.80.116 http

if server-01 (.115) is working, and now i change NAT that server-01 will be server-02 and server-02 will be translated to server-01 external IP, server-02 is working, but not server-01 now with IP .116

the syslog does not log any error, if i will connect from outside. it doesnt log any error on the .115 or .116 address.

...

Konrad,

I couldnt understand what you mean by "if server-01 (.115) is working, and now i change NAT that server-01 will be server-02 and server-02 will be translated to server-01 external IP, server-02 is working, but not server-01 now with IP .116 " but as I assume, you are going through some IP and translation changes. I recommend you to run following commands

clear arp

clear xlate

clear local-host all

Sanitized partial config and an elaborated explanation will be helpfull.

Regards

hi huseyin,

thanks for your help, and sorry for my bad description of the problem.

thats my config:

global (outside) 1 interface

global (dmz-outside) 1 172.16.2.10-172.16.2.11 netmask 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,dmz-outside) INTERNAL-LAN INTERNAL-LAN netmask 255.255.0.0

static (inside,dmz-inside) INTERNAL-LAN INTERNAL-LAN netmask 255.255.0.0

static (dmz-outside,outside) 80.80.80.115 172.16.2.10 netmask 255.255.255.255 dns

static (dmz-outside,outside) 80.80.80.116 172.16.2.11 netmask 255.255.255.255 dns

access-group outside_access_in in interface outside

access-group dmz-outside_access_in in interface dmz-outside

route outside 0.0.0.0 0.0.0.0 80.80.80.113 1

route inside INTERNAL-LAN 255.255.0.0 INTERNAL-GW 1

that must be ok?

thx

could it be the router of the provider? that he has saved the arp table?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: