cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1027
Views
0
Helpful
6
Replies

NAT in cisco asa 5505 version 8.2

donnie
Level 1
Level 1

Hi all,

I recently upgraded a router to asa5505. I did a static NAT for a particular private ip address to public ip as below.

static (inside,outside) public_ip private_ip netmask 255.255.255.255

However when this is done, this particular server could not access the internet. My firewall does not restrict outgoing traffic. If i remove this static NAT, the server will go through PAT and it will be able to access the internet. I use the packet tracer in asdm to test my outgoing traffic for this particular and it shows my config is fine. Before the upgrade everything was working fine including NAT for this particular server. Pls advise what may be missing. Thks in advance.

6 Replies 6

Jennifer Halim
Cisco Employee
Cisco Employee

I would suggest that after you change it to a static statement, please perform "clear xlate" and "clear arp". Also check on the next hop router that the public ip address has the ASA outside interface MAC address as the ARP entry.

Hope that helps.

Hi Halijenn,

Did that but problem still persist.

Hello,

Do you see any hit counts increasing on the outside interface for the

access-list corresponding to the server?

Regards,

NT

Hi,

There is no hit counts for this particular server. I can see hit counts for my clients that access the internet via PAT.

If there is no hit count, that means that the traffic is not even coming towards the ASA. I would suggest that you check the next hop router for the ARP entry. Either clear the arp cache on the next hop router, OR try reloading the router and check again if that works.


Also, assuming that the public ip address is in the same subnet as the ASA outside interface, and it is not being used by other device.

Hello,

Can you access the server from internet? If that is also not possible, as

halijenn said, reboot the router. That should clear out all the ARP entries

on the ISP router and should build a new ARP cache. If that still did not

work, that means your ISP is not sending packets destined to that IP to your

ASA. Please talk to them and see what is happening on their end.

Note: Also make sure that you have enabled proxy-arp on your outside

interface.

Regards,

NT

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: