ASA 5520 NAT ISSUE - users losing internet connectivity

Answered Question
Jul 15th, 2010

Hi all,

I have a 5520 and using Dynamic NAT. There are times that a client loses Internet connectivity though there is a public IP address NATed to the private IP.  My normal solution to this is to "clear xlate". But the problem is that there is a collateral issue affecting other client. Others also loses connectively after I apply the command.

I just want to clear one specific IP and get re-assign another public IP.

I tried the command "clear xlate local xxx.xxx.xxx.xxx (private IP) but does not work.

Any other ASA 5520 command specific to accomplish this?

Thanks in advance.

Del

I have this problem too.
0 votes
Correct Answer by Nagaraja Thanthry about 6 years 6 months ago

Hello,

Does that host have static translation or dynamic? If it is dynamic, it has

to clear the translations. Can you check the translations before and after

the clearing? It could be that as soon as you clear the translations, the

client tries to build new connections and the entries show up again.

Also, you could clear the local-host table entry for that host to see if

that fixes the issue. If you are still having issues (after clearing

NAT/Local-host), then change the timeout values on the firewall. Typically

the idle timeout is set to 1 hour or more. Change that to a lower value and

see if that helps.

Regards,

NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Nagaraja Thanthry Thu, 07/15/2010 - 10:08

Hello,

Does that host have static translation or dynamic? If it is dynamic, it has

to clear the translations. Can you check the translations before and after

the clearing? It could be that as soon as you clear the translations, the

client tries to build new connections and the entries show up again.

Also, you could clear the local-host table entry for that host to see if

that fixes the issue. If you are still having issues (after clearing

NAT/Local-host), then change the timeout values on the firewall. Typically

the idle timeout is set to 1 hour or more. Change that to a lower value and

see if that helps.

Regards,

NT

Delfino Tiongco Thu, 07/15/2010 - 10:42

NT,

Good point, I will try to wait next time to see if the translation clear after I issue a 'clear xlate local". I will ask the user to connect again to see if he gets connectivity to the Internet.

I also changed the default timeout for translation to a shorter time.

I will not know if I a successful until I the next incident.

Thanks for the help and info.

Del

Actions

This Discussion