Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT and a migration from PIX 506 to ASA 5505

I'm trying to migrate from a PIX 506 with 6.3 code to an ASA 5505 with 7.2 code and am running into problems with NATing.

With the 506 I had all outbound traffic going out the outside interface but for a server that I had a static NAT for. When I try the same commands on the ASA I don't get any outbound traffic for that single host.

Here's the pertinent commands from the PIX:

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) aaa.bbb.ccc.ddd 192.168.6.11 netmask 255.255.255.255 0 0

On the ASA 5505 box I can get out from 192.168.6.11 if I don't add the static entry.

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

When I add the static command traffic is prohibited from 192.168.6.11 to the Outside yet it can ping the ASA box, internal hosts, etc.

static (inside,outside) aaa.bbb.ccc.ddd 192.168.6.11 netmask 255.255.255.255

I've tried the ASDM packet tracer and no faults appear in the simulation. The logs aren't helping me much in this either.

Other ASA configs are basically out of the box with Higher-to-lower interface traffic being permitted. Only added an incoming access-list to the outside interface to allow replies from internal ping/traceroute commands.

Any assistance would be greatly appreciated.

21 REPLIES
Green

Re: NAT and a migration from PIX 506 to ASA 5505

Is that outside address in the same subnet as the pix outside interface? If not, is it being routed to your pix? I assume it is ok as it was working before on 506 but I can't think of any other reason for this.

I guess you could test this, does everyone get out if you do...?

global (outside) 1 aaa.bbb.ccc.ddd

nat (inside) 1 0 0

New Member

Re: NAT and a migration from PIX 506 to ASA 5505

Is the outside address on the same subnet as the pix outside interface? Yes it is.

I guess you could test this, does everyone get out if you do ...? Yes they do but first I needed to remove the global command for the interface:

no global (outside) 1 interface

When I do a show xlate where previously outside traffic was aaa.bbb.ccc.eee it is now aaa.bbb.ccc.ddd.

Green

Re: NAT and a migration from PIX 506 to ASA 5505

Yes, I figured you would remove the existing global statement. My intention was only to prove that the address, aaa.bbb.ccc.dddd, was usable.

New Member

Re: NAT and a migration from PIX 506 to ASA 5505

What's your interface security level look like on the outside and inside interface?

New Member

Re: NAT and a migration from PIX 506 to ASA 5505

interface Vlan1

nameif inside

security-level 100

ip address 192.168.6.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address aaa.bbb.ccc.ddd 255.255.255.248

!

interface Vlan3

no forward interface Vlan1

nameif ClientAccess

security-level 50

ip address 192.168.66.1 255.255.255.0

!

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

Green

Re: NAT and a migration from PIX 506 to ASA 5505

Ah, didnt realize that ip was also your interface ip. Replace ip with keyword "interface".

static (inside,outside) interface 192.168.6.11 netmask 255.255.255.255 0 0

New Member

Re: NAT and a migration from PIX 506 to ASA 5505

Not following your logic here, please explain.

Presently my outside interface is aaa.bbb.ccc.eee and I would like all outbound traffic to use this PAT IP address except for internal device 192.168.6.11 which I want to use aaa.bbb.ccc.ddd.

Why would I use:

static (inside,outside) interface 192.168.6.11 netmask 255.255.255.255 0 0

and not:

static (inside,outside) aaa.bbb.ccc.ddd 192.168.6.11 netmask 255.255.255.255 0 0

because interface=aaa.bbb.ccc.eee and not aaa.bbb.ccc.ddd.

Thanks

Green

Re: NAT and a migration from PIX 506 to ASA 5505

You posted this above...

!

interface Vlan2

nameif outside

security-level 0

ip address aaa.bbb.ccc.ddd 255.255.255.248

New Member

Re: NAT and a migration from PIX 506 to ASA 5505

Sorry that was a mistake on my part, it should have been aaa.bbb.ccc.eee.

Actual IP address of outside interface ends with 17 IP address I'd like to statically NAT ends with 21.

New Member

Re: NAT and a migration from PIX 506 to ASA 5505

Strange, I really don't see anything wrong here... Would be interesting to see the full configuration.

New Member

Re: NAT and a migration from PIX 506 to ASA 5505

Don't know if its worth adding but the host behind the ASA box in question has an IP with a default gateway pointing to a 2600 series router behind it. The 2600 router has a static route 0.0.0.0 0.0.0.0 that points to 192.168.6.254.

See attached for a sanitized config.

New Member

Re: NAT and a migration from PIX 506 to ASA 5505

Where is your static statement, isn't that how you said you were facilitating outside connectivity for this single host?

New Member

Re: NAT and a migration from PIX 506 to ASA 5505

I've removed the static statement because the host needs to be able to communicate outside. The static statement in question was previously posted as:

static (inside,outside) aaa.bbb.ccc.21 192.168.6.11 netmask 255.255.255.255

Green

Re: NAT and a migration from PIX 506 to ASA 5505

I'd be looking for a bug at this point unless we're all overlooking something here.

New Member

Re: NAT and a migration from PIX 506 to ASA 5505

I'm absolutely stumped. I regularly use similar configuration and have never run into an issue like this.

At this point I would suggest checking the 7.2.2 release notes for unresolved caveats relating to NAT and opening a TAC.

New Member

Re: NAT and a migration from PIX 506 to ASA 5505

I just read this again.

Are you saying that the host 192.168.6.11 has its default route being a 2600 router on the same subnet and that router in turn has its default route being 192.168.6.254?

That begs the question, what is 192.168.6.254?

Green

Re: NAT and a migration from PIX 506 to ASA 5505

According to his config that is the inside interface of ASA. It does sound weird although I would not suspect routing problems as he says this host can access the internet without the static command. Why not just make the gateway 192.168.6.254?

New Member

Re: NAT and a migration from PIX 506 to ASA 5505

I am suspecting that the router is doing NAT and since his nat rule is so coarse (0.0.0.0/0) it's working without the static statement.

That doesn't explain why it wouldn't work with the static statement, unless he's looking specifically for traffic sourced from the static translation to verify connectivity.

New Member

Re: NAT and a migration from PIX 506 to ASA 5505

Tried setting the host to have a default gateway of 192.168.6.254 then set static to the following:

static (inside,outside) aaa.bbb.ccc.21 192.168.6.11 netmask 255.255.255.255

Net result: NO difference, still cannot get out.

Next tried the following:

static (inside,outside) aaa.bbb.ccc.20 192.168.6.11 netmask 255.255.255.255

Net result: CAN get out with .20

I've tried updating the ASA from 7.22 to 7.22-19 and get the same results.

Tomorrow I'll try plugging in directly outside the firewall with all ips aaa.bbb.ccc. 17-21 (.22 is my ISP connection) to see if I can route outside of the firewall.

Thanks for everyone's help. Will follow up tomorrow.

New Member

Re: NAT and a migration from PIX 506 to ASA 5505

I just stumbled upon this while trying to figure out the same problem you mention. I don't have an additional router.

New Member

Re: NAT and a migration from PIX 506 to ASA 5505

OK

I've resolved this problem. Ultimately what I ended up doing was testing the IP addresses from Outside the ASA. True to form, all network activity worked as expected.

I plugged the ASA box back in and couldn't get any connectivity out from behind the ASA box. A reboot of the ISP router cured both the ASA connectivity AND the static entry to aaa.bbb.ccc.21.

Sorry to have wasted everyone's bandwidth. I have no idea why their equipment was holding up the static mapping.

161
Views
0
Helpful
21
Replies
CreatePlease login to create content