Re: NAT and a migration from PIX 506 to ASA 5505 - Page 2

mlinzbach · ‎05-08-2007

I'm trying to migrate from a PIX 506 with 6.3 code to an ASA 5505 with 7.2 code and am running into problems with NATing.

With the 506 I had all outbound traffic going out the outside interface but for a server that I had a static NAT for. When I try the same commands on the ASA I don't get any outbound traffic for that single host.

Here's the pertinent commands from the PIX:

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) aaa.bbb.ccc.ddd 192.168.6.11 netmask 255.255.255.255 0 0

On the ASA 5505 box I can get out from 192.168.6.11 if I don't add the static entry.

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

When I add the static command traffic is prohibited from 192.168.6.11 to the Outside yet it can ping the ASA box, internal hosts, etc.

static (inside,outside) aaa.bbb.ccc.ddd 192.168.6.11 netmask 255.255.255.255

I've tried the ASDM packet tracer and no faults appear in the simulation. The logs aren't helping me much in this either.

Other ASA configs are basically out of the box with Higher-to-lower interface traffic being permitted. Only added an incoming access-list to the outside interface to allow replies from internal ping/traceroute commands.

Any assistance would be greatly appreciated.

laurent.geyer · ‎05-09-2007

I'm absolutely stumped. I regularly use similar configuration and have never run into an issue like this.

At this point I would suggest checking the 7.2.2 release notes for unresolved caveats relating to NAT and opening a TAC.

laurent.geyer · ‎05-09-2007

I just read this again.

Are you saying that the host 192.168.6.11 has its default route being a 2600 router on the same subnet and that router in turn has its default route being 192.168.6.254?

That begs the question, what is 192.168.6.254?

acomiskey · ‎05-09-2007

According to his config that is the inside interface of ASA. It does sound weird although I would not suspect routing problems as he says this host can access the internet without the static command. Why not just make the gateway 192.168.6.254?

laurent.geyer · ‎05-09-2007

I am suspecting that the router is doing NAT and since his nat rule is so coarse (0.0.0.0/0) it's working without the static statement.

That doesn't explain why it wouldn't work with the static statement, unless he's looking specifically for traffic sourced from the static translation to verify connectivity.

mlinzbach · ‎05-09-2007

Tried setting the host to have a default gateway of 192.168.6.254 then set static to the following:

static (inside,outside) aaa.bbb.ccc.21 192.168.6.11 netmask 255.255.255.255

Net result: NO difference, still cannot get out.

Next tried the following:

static (inside,outside) aaa.bbb.ccc.20 192.168.6.11 netmask 255.255.255.255

Net result: CAN get out with .20

I've tried updating the ASA from 7.22 to 7.22-19 and get the same results.

Tomorrow I'll try plugging in directly outside the firewall with all ips aaa.bbb.ccc. 17-21 (.22 is my ISP connection) to see if I can route outside of the firewall.

Thanks for everyone's help. Will follow up tomorrow.

bbrendon · ‎05-09-2007

I just stumbled upon this while trying to figure out the same problem you mention. I don't have an additional router.

mlinzbach · ‎05-10-2007

OK

I've resolved this problem. Ultimately what I ended up doing was testing the IP addresses from Outside the ASA. True to form, all network activity worked as expected.

I plugged the ASA box back in and couldn't get any connectivity out from behind the ASA box. A reboot of the ISP router cured both the ASA connectivity AND the static entry to aaa.bbb.ccc.21.

Sorry to have wasted everyone's bandwidth. I have no idea why their equipment was holding up the static mapping.