Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
533
Views
0
Helpful
4
Replies

STATIC doesn't work

jimmy.tran
Level 1
Level 1

‎10-02-2009 06:54 AM - edited ‎03-11-2019 09:22 AM

ASA 5520 running ver. 8.0(3).

Here's the basic config:

global (outside) 101 interface

nat (101) 0.0.0.0 0.0.0.0

static (inside,outside) xxx.97.65.5 10.75.244.241 netmask 255.255.255.255

If I remove the static line then I send get to the Internet on 10.75.244.241. Re-apply the static command will kill the Internet connection. All clients (without static) are fine with or without the static command.

No access-list created - everything is using default from out of the box.

Please help!!!!

Here's the config:

ASA Version 8.0(3)

!

hostname ASA-5520

names

dns-guard

!

interface GigabitEthernet0/0

description Outside to TW

nameif OUTSIDE-TW

security-level 0

ip address xxx.97.65.3 255.255.255.128

!

interface GigabitEthernet0/1

description Connection to 4506

nameif INSIDE

security-level 100

ip address INSIDE-10.75.244.12 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

nameif DMZ

security-level 50

ip address 172.16.200.3 255.255.255.128

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

boot system disk0:/asa803-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup INSIDE

dns server-group DefaultDNS

name-server 10.75.244.252

name-server 10.75.244.151

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group icmp-type ICMP-ANY

description ICMP-ANY

icmp-object echo

icmp-object echo-reply

icmp-object traceroute

icmp-object unreachable

access-list INSIDE_nat_outbound extended permit ip object-group ALL_CRMC_SUBNET any

pager lines 24

logging enable

logging timestamp

logging trap notifications

logging asdm informational

logging mail emergencies

logging host INSIDE 10.75.244.158

logging permit-hostdown

mtu OUTSIDE-TW 1500

mtu INSIDE 1500

mtu DMZ 1500

ip local pool VPN_Pool 192.168.222.2-192.168.222.127 mask 255.255.255.128

ip verify reverse-path interface OUTSIDE-TW

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-61551.bin

asdm history enable

arp timeout 14400

nat-control

global (OUTSIDE-TW) 101 interface

nat (INSIDE) 101 0.0.0.0 0.0.0.0

static (INSIDE,OUTSIDE-TW) xxx.97.65.5 10.75.244.241 netmask 255.255.255.255

route OUTSIDE-TW 0.0.0.0 0.0.0.0 xxx.97.65.1 1

timeout xlate 0:30:00

timeout conn 0:15:00 half-closed 0:05:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

Labels:
0 Helpful
4 Replies 4

mkharban
Level 1
Level 1

‎10-02-2009 09:28 AM

Hi Jimmy,

This looks to a gratuitous ARP issue.

I would suggest the following to get this fixed:

no static (inside,outside) xxx.97.65.5 10.75.244.241

int g0/0

ip address xxx.97.65.5 255.255.255.128

ping 4.2.2.2

int g0/0

ip address xxx.97.65.3 255.255.255.128

static (inside,outside) xxx.97.65.5 10.75.244.241

Reason for the fix:

Firewall does a proxy ARP for the public ip address applied in the static statement. At times this ARP is not learned by the upstream device so we have to force this ARP. The best way to do it is by applying that public ip address in the static statement to the firewall outside interface and then applying it to the static statement again.

Note: This might cause termination of the active connection through the firewall so applying it off production hours is always recommended.

0 Helpful

jimmy.tran
Level 1
Level 1
In response to mkharban

‎10-02-2009 01:04 PM

Hi mkharban,

I did exactly as you suggested and it worked beautiful!!!

BTW: Thought you may want to know this - Internet connection was up and running just fine during the process of changing the outside IP address.

Thank you so much for your help!

Jimmy-

0 Helpful

mkharban
Level 1
Level 1
In response to jimmy.tran

‎10-02-2009 01:22 PM

Hi Jimmy,

Internet connection generally stays up but to avoid any risks I always recommend adding that one-liner.

Thanks,

Manish Kharbanda

0 Helpful

jimmy.tran
Level 1
Level 1
In response to mkharban

‎10-02-2009 01:26 PM

Manish,

I appreciate your professionalism!!!!

Have a Great week-end!!!

Jimmy-

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card