NAT in cisco asa 5505 version 8.2

Unanswered Question
Sep 6th, 2010

Hi all,

I recently upgraded a router to asa5505. I did a static NAT for a particular private ip address to public ip as below.

static (inside,outside) public_ip private_ip netmask 255.255.255.255

However when this is done, this particular server could not access the internet. My firewall does not restrict outgoing traffic. If i remove this static NAT, the server will go through PAT and it will be able to access the internet. I use the packet tracer in asdm to test my outgoing traffic for this particular and it shows my config is fine. Before the upgrade everything was working fine including NAT for this particular server. Pls advise what may be missing. Thks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Mon, 09/06/2010 - 00:41

I would suggest that after you change it to a static statement, please perform "clear xlate" and "clear arp". Also check on the next hop router that the public ip address has the ASA outside interface MAC address as the ARP entry.

Hope that helps.

donnie Mon, 09/06/2010 - 01:08

Hi Halijenn,

Did that but problem still persist.

Nagaraja Thanthry Mon, 09/06/2010 - 01:12

Hello,

Do you see any hit counts increasing on the outside interface for the

access-list corresponding to the server?

Regards,

NT

donnie Mon, 09/06/2010 - 04:41

Hi,

There is no hit counts for this particular server. I can see hit counts for my clients that access the internet via PAT.

Jennifer Halim Mon, 09/06/2010 - 05:14

If there is no hit count, that means that the traffic is not even coming towards the ASA. I would suggest that you check the next hop router for the ARP entry. Either clear the arp cache on the next hop router, OR try reloading the router and check again if that works.


Also, assuming that the public ip address is in the same subnet as the ASA outside interface, and it is not being used by other device.

Nagaraja Thanthry Mon, 09/06/2010 - 06:55

Hello,

Can you access the server from internet? If that is also not possible, as

halijenn said, reboot the router. That should clear out all the ARP entries

on the ISP router and should build a new ARP cache. If that still did not

work, that means your ISP is not sending packets destined to that IP to your

ASA. Please talk to them and see what is happening on their end.

Note: Also make sure that you have enabled proxy-arp on your outside

interface.

Regards,

NT

Actions

This Discussion