10-02-2009 06:54 AM - edited 03-11-2019 09:22 AM
ASA 5520 running ver. 8.0(3).
Here's the basic config:
global (outside) 101 interface
nat (101) 0.0.0.0 0.0.0.0
static (inside,outside) xxx.97.65.5 10.75.244.241 netmask 255.255.255.255
If I remove the static line then I send get to the Internet on 10.75.244.241. Re-apply the static command will kill the Internet connection. All clients (without static) are fine with or without the static command.
No access-list created - everything is using default from out of the box.
Please help!!!!
Here's the config:
ASA Version 8.0(3)
!
hostname ASA-5520
names
dns-guard
!
interface GigabitEthernet0/0
description Outside to TW
nameif OUTSIDE-TW
security-level 0
ip address xxx.97.65.3 255.255.255.128
!
interface GigabitEthernet0/1
description Connection to 4506
nameif INSIDE
security-level 100
ip address INSIDE-10.75.244.12 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
nameif DMZ
security-level 50
ip address 172.16.200.3 255.255.255.128
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup INSIDE
dns server-group DefaultDNS
name-server 10.75.244.252
name-server 10.75.244.151
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group icmp-type ICMP-ANY
description ICMP-ANY
icmp-object echo
icmp-object echo-reply
icmp-object traceroute
icmp-object unreachable
access-list INSIDE_nat_outbound extended permit ip object-group ALL_CRMC_SUBNET any
pager lines 24
logging enable
logging timestamp
logging trap notifications
logging asdm informational
logging mail emergencies
logging host INSIDE 10.75.244.158
logging permit-hostdown
mtu OUTSIDE-TW 1500
mtu INSIDE 1500
mtu DMZ 1500
ip local pool VPN_Pool 192.168.222.2-192.168.222.127 mask 255.255.255.128
ip verify reverse-path interface OUTSIDE-TW
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-61551.bin
asdm history enable
arp timeout 14400
nat-control
global (OUTSIDE-TW) 101 interface
nat (INSIDE) 101 0.0.0.0 0.0.0.0
static (INSIDE,OUTSIDE-TW) xxx.97.65.5 10.75.244.241 netmask 255.255.255.255
route OUTSIDE-TW 0.0.0.0 0.0.0.0 xxx.97.65.1 1
timeout xlate 0:30:00
timeout conn 0:15:00 half-closed 0:05:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
10-02-2009 09:28 AM
Hi Jimmy,
This looks to a gratuitous ARP issue.
I would suggest the following to get this fixed:
no static (inside,outside) xxx.97.65.5 10.75.244.241
int g0/0
ip address xxx.97.65.5 255.255.255.128
ping 4.2.2.2
int g0/0
ip address xxx.97.65.3 255.255.255.128
static (inside,outside) xxx.97.65.5 10.75.244.241
Reason for the fix:
Firewall does a proxy ARP for the public ip address applied in the static statement. At times this ARP is not learned by the upstream device so we have to force this ARP. The best way to do it is by applying that public ip address in the static statement to the firewall outside interface and then applying it to the static statement again.
Note: This might cause termination of the active connection through the firewall so applying it off production hours is always recommended.
10-02-2009 01:04 PM
Hi mkharban,
I did exactly as you suggested and it worked beautiful!!!
BTW: Thought you may want to know this - Internet connection was up and running just fine during the process of changing the outside IP address.
Thank you so much for your help!
Jimmy-
10-02-2009 01:22 PM
Hi Jimmy,
Internet connection generally stays up but to avoid any risks I always recommend adding that one-liner.
Thanks,
Manish Kharbanda
10-02-2009 01:26 PM
Manish,
I appreciate your professionalism!!!!
Have a Great week-end!!!
Jimmy-
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: