Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ASA5525X no longer passing traffic after power interuption

                   ASA5525x running 8.6.1.5  had a power interuption, when reloaded no longer pass traffic.

checked configuration all looked ok.

only using inside and outside interfaces,  from the ASA can ping the outside Internet router, and the internal L3 switch, but cannot ping anything else.

when working can ping servers ok. cleared the arp caches on the routers and L3 switches.

For example the Internet router cannot connect to the Tacacs server on the inside, But whe i run Packet-tracer using the internet router and tacacs server it says allowed! its as if something needs to be switched on!

please find enclosed log from ASA reload and the running configuration.

thank goodnes i still have my old PIX which  I have substituted! til this is fixed.

3 REPLIES
Super Bronze

Re: ASA5525X no longer passing traffic after power interuption

Hi,

If you have some old configuration available please check if it had any Dynamic PAT rules

To me it seems that you have absolutely no Dynamic PAT/NAT rules for your Internal users towards the WAN link.

You only have Static NAT / Identity NAT / NAT 0 Type configurations and a Dynamic Policy PAT

A simple way to Dynamic PAT all traffic towards the WAN would be to add

nat (inside,outside) after-auto source dynamic any interface

- Jouni

Re: ASA5525X no longer passing traffic after power interuption

Journi,

here are the NAT rules. everything was working before the power down, the config is the same as the saved one.

nat (inside,outside) source static CHIACS71 CHIACS71 destination static DRSINTR1 DRSINTR1

nat (inside,outside) source static DRSACS71 DRSACS71 destination static DRSINTR1 DRSINTR1

nat (inside,outside) source static ALL172 ALL172 destination static clientvpn clientvpn

nat (inside,outside) source static ALL10 ALL10 destination static clientvpn clientvpn

nat (inside,outside) source dynamic allaccess formrchips destination static MrChips MrChips

!

object network host172.16.24.220

nat (inside,outside) static 203.55.179.16

object network host172.16.21.152

nat (inside,outside) static 203.55.179.17

object network host_chiunf71

nat (inside,outside) static 203.55.179.18

object network host_chicts71

nat (inside,outside) static 203.55.179.19

object network host_chinnm72

nat (inside,outside) static 203.55.179.26

object network hostMail

nat (inside,outside) static 203.55.179.30

object network chilms71

nat (inside,outside) static 203.55.179.20

object network allaccess

nat (inside,outside) static 203.55.179.10

object network Kruk_Printer

nat (inside,outside) static 203.55.179.15nat (inside,outside) source static CHIACS71 CHIACS71 destination static DRSINTR1 DRSINTR1
nat (inside,outside) source static DRSACS71 DRSACS71 destination static DRSINTR1 DRSINTR1
nat (inside,outside) source static ALL172 ALL172 destination static clientvpn clientvpn
nat (inside,outside) source static ALL10 ALL10 destination static clientvpn clientvpn
nat (inside,outside) source dynamic allaccess formrchips destination static MrChips MrChips
!
object network host172.16.24.220
nat (inside,outside) static 203.55.179.16
object network host172.16.21.152
nat (inside,outside) static 203.55.179.17
object network host_chiunf71
nat (inside,outside) static 203.55.179.18
object network host_chicts71
nat (inside,outside) static 203.55.179.19

object network host_chinnm72
nat (inside,outside) static 203.55.179.26
object network hostMail
nat (inside,outside) static 203.55.179.30
object network chilms71
nat (inside,outside) static 203.55.179.20
object network allaccess
nat (inside,outside) static 203.55.179.10
object network Kruk_Printer
nat (inside,outside) static 203.55.179.15

Super Bronze

ASA5525X no longer passing traffic after power interuption

Hi,

I dont see any Dynamic PAT/NAT rule on it for outbound traffic though

You could always run this "packet-tracer" command on it to simulate some traffic from the LAN that doesnt work.

packet-tracer input inside tcp 12345 1.1.1.1 80

Replace the with some actual IP address from your LAN.

This doesnt however explain that connections from the public network wouldnt work to Staticly NATed servers.

Have you been able to confirm that the device/router in front of ASA sees the ARP for all the public IP addresses used in the NAT configurations of the ASA?

- Jouni

187
Views
0
Helpful
3
Replies
CreatePlease to create content