Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
728
Views
0
Helpful
2
Replies

Cisco ASA problem with third public IP Address in the Subnet

prutejmartin
Level 1
Level 1

‎06-20-2012 12:28 PM - edited ‎03-11-2019 04:21 PM

Hello,

i have an intressted problem with my ASA 5510 CSC

i configured many firewalls till yet and i configure the normal static often times but this time it is not working as assumed.

Cisco ASA 5510 in failover

Public Network: is a x.x.x.128 /28

the two ip's that are configured on the outside(.130 &.131) are working fine with pat and static etc.

but when i configure the third public ip in the subnet with a static

static (inside,outside) x.x.x.133 172.x.x.x netmask 255.255.255.255

it is not working

the firewall has an default route to the ISP Router x.x.x.129

Here a capture

fw-001(config)# sh run access-list vpn
access-list test extended permit tcp any host x.x.x.132 eq 3389
access-list test extended permit tcp host x.x.x.132 any eq 3389

fw-at-klu-serA-001(config)# sh capture
capture vpn type raw-data access-list test interface outside [Capturing - 0 bytes]

i try to access a server with rdp from the outside but no hit.

when i set an traceroute from an client to the .130 the fw is working, if i trace to .132 the last hop that i can see is the one hop ago the ISP onsite Router the .129


i thought that be an routing issue on the Provider site but they told me that everything is fine, because when i connect me with a PC to the Internet VLAN and give it the ip x.x.x.132 it is working fine. The Provider also told me during the test he cannot see an arp enrtry in the ISP Router from .132


has somebody an idea ?

BR,

Martin

Labels:
0 Helpful
2 Replies 2

manish arora
Level 6
Level 6

‎06-20-2012 04:36 PM

Hi Martin,

Can you please check your Nat again :-

your Static command show .133 and you are complaing about 132. Is that a typo here or is also a typo on the firewall.

Also can you please check the Subnet Mask on your outside interface for /28 & have your ISP clear arp cache on their end.

Manish

0 Helpful

prutejmartin
Level 1
Level 1
In response to manish arora

‎06-21-2012 12:41 AM

Hi Manish,

problem is resolved, the problem was that proxy arp on the outside interface was disabled !!!

thnaks for your help

Br,

Martin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card