×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA 5510 issue

Unanswered Question
Jan 23rd, 2012
User Badges:

Hello all,


I seem to have a weird issue with ASA 5510 which is actually resolved but would like to share it.


We have a cisco 3745 which has a public LAN port. It has the IP 1.1.1.1/24 ( for example) assigned to one of it's fastethernet interfaces. On this port we have connected an ASA 5510 with public IP 1.1.1.2/24 with default route to 1.1.1.1. Everything works fine when all the internal LAN IPs are globally natted to the outside interface (1.1.1.2).Once we bring in static NATs , they stop to work. For instance if I have a static NAT 10.1.1.3-->1.1.1.3, 10.1.1.3 will not be able to go to internet. Once I remove static NAT, it starts to work.


We came around this issue by enabling some captures on ASA external interface. With static NAT enabled, whenever we try to go out to internet from 10.1.1.3, we saw hits on the capture for traffic from 1.1.1.3 but no returning traffic to 1.1.1.3. So we concentrated on the router, clearing the arp-caches and reloading it but didn't work. We also tried clearing arp tables and nat sessions of ASA. Finally, we just added a static route on the 3745 that goes ip route 1.1.1.3 255.255.255.255 1.1.1.2 and it started to work.


We are confused by this solution as we do not understand why we need to add a static route for resolving the issue when there is already a directly connected route to the 1.1.1.0/24 network. I am not sure if it is a bug with ASA or 3745. We are having a similar issue with ASA 5510 connected to cisco 3825.


Please advise.




Thanks

Mukundh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Julio Carvajal Mon, 01/23/2012 - 12:46
User Badges:
  • Purple, 4500 points or more

Hello Mukundh,


What if you change the outside interface ip address to 1.1.1.3 and then put back 1.1.1.2, with this the ASA will send a gratitious arp for the IP address of 1.1.1.3.


Can you try this without the route on the border router and see if that makes a difference, it is a ARP issue.



Regards,


Julio


Rate helpful posts!!

Actions

This Discussion