Solved: One public IP using PAT to two internal deviecs

ddrodge · ‎08-24-2010

I have a scenerio whereby one public IP is directed to two internal private IP using PAT. A PIX501 is currently in production and an ASA5505 is scheduled to be installed. If the configuration from the PIX501 is ported to the ASA5505 and the devices switched (DSL modem is power cycled), Internat traffic flows through the ASA5505 but inbound traffic to the two devices (SPAM filter and Exchange Server) stops. If I change the ASA 5505 out for the PIX501 (again DSL is powered cycled), traffic flows as designed.

I have attached the current config on the ASA5505. ASA is running 8.2(2)

Can someone help to find where the issue lies on the ASA5505, thanks.

Nagaraja Thanthry · ‎08-25-2010

Hello,

If you are not seeing any hits on the outside interface ACL, most likely

your DSL modem/ISP router has wrong ARP entry for the second IP. Is the DSL

modem in Bridged mode? If so, can you please ask your ISP what MAC entry

they have for the SMTP address?

Regards,

NT

View solution in original post

Nagaraja Thanthry · ‎08-24-2010

Hello,

When you switched your hardware, did you reboot the ISP router? Your

configuration looks good. Most likely, your ISP has cached the PIX MAC for

the SMTP IP. Please reboot the ISP router or bounce the ISP port and see if

that helps.

Regards,

NT

ddrodge · ‎08-24-2010

Thanks for the reply, Yes in all cases I power-cycled the DSL modem when switching the ASA for the PIX.

should the switch on the inside also be power-cycled as the inside MAC change as well?

Dereck

Nagaraja Thanthry · ‎08-24-2010

Hello,

No, the inside should not matter. When you put it back in production, can

you check the access-list hit counts to see if the packets are hitting the

outside interface of the firewall? Also, what is the default gateway of the

servers? Are they pointing to the ASA inside interface?

Regards,

NT

ddrodge · ‎08-25-2010

When ASA is in production, it has same internal IP address that is set as the default gateway for the subnet and no traffic registers on the ACL for SMTP, 3389 or 443. It is like there is another default/hidden ACL that is blocking the traffic. The results of the show access-list does not show any hits on the specified public address nor the PAT.

I am going to reset the device to factory defaults and build the configuration from scratch. I'll report back the results.

Nagaraja Thanthry · ‎08-25-2010

Hello,

If you are not seeing any hits on the outside interface ACL, most likely

your DSL modem/ISP router has wrong ARP entry for the second IP. Is the DSL

modem in Bridged mode? If so, can you please ask your ISP what MAC entry

they have for the SMTP address?

Regards,

NT

ddrodge · ‎08-30-2010

Thanks,

The issue was in an upstream network device that was holding the incorrect ARP entry for the other IP Addresses. Waiting past the 60 minute timeout on the ARP table of the upstream device (independent of the ISP DSL modem) and traffic flowed.