Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

STATIC doesn't work

ASA 5520 running ver. 8.0(3).

Here's the basic config:

global (outside) 101 interface

nat (101)

static (inside,outside) xxx.97.65.5 netmask

If I remove the static line then I send get to the Internet on Re-apply the static command will kill the Internet connection. All clients (without static) are fine with or without the static command.

No access-list created - everything is using default from out of the box.

Please help!!!!

Here's the config:

ASA Version 8.0(3)


hostname ASA-5520




interface GigabitEthernet0/0

description Outside to TW


security-level 0

ip address xxx.97.65.3


interface GigabitEthernet0/1

description Connection to 4506

nameif INSIDE

security-level 100

ip address INSIDE-


interface GigabitEthernet0/2


nameif DMZ

security-level 50

ip address


interface GigabitEthernet0/3


no nameif

no security-level

no ip address


interface Management0/0


no nameif

no security-level

no ip address


boot system disk0:/asa803-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup INSIDE

dns server-group DefaultDNS



same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group icmp-type ICMP-ANY

description ICMP-ANY

icmp-object echo

icmp-object echo-reply

icmp-object traceroute

icmp-object unreachable

access-list INSIDE_nat_outbound extended permit ip object-group ALL_CRMC_SUBNET any

pager lines 24

logging enable

logging timestamp

logging trap notifications

logging asdm informational

logging mail emergencies

logging host INSIDE

logging permit-hostdown

mtu OUTSIDE-TW 1500

mtu INSIDE 1500

mtu DMZ 1500

ip local pool VPN_Pool mask

ip verify reverse-path interface OUTSIDE-TW

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-61551.bin

asdm history enable

arp timeout 14400


global (OUTSIDE-TW) 101 interface

nat (INSIDE) 101

static (INSIDE,OUTSIDE-TW) xxx.97.65.5 netmask

route OUTSIDE-TW xxx.97.65.1 1

timeout xlate 0:30:00

timeout conn 0:15:00 half-closed 0:05:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

New Member

Re: STATIC doesn't work

Hi Jimmy,

This looks to a gratuitous ARP issue.

I would suggest the following to get this fixed:

no static (inside,outside) xxx.97.65.5

int g0/0

ip address xxx.97.65.5


int g0/0

ip address xxx.97.65.3

static (inside,outside) xxx.97.65.5

Reason for the fix:

Firewall does a proxy ARP for the public ip address applied in the static statement. At times this ARP is not learned by the upstream device so we have to force this ARP. The best way to do it is by applying that public ip address in the static statement to the firewall outside interface and then applying it to the static statement again.

Note: This might cause termination of the active connection through the firewall so applying it off production hours is always recommended.

New Member

Re: STATIC doesn't work

Hi mkharban,

I did exactly as you suggested and it worked beautiful!!!

BTW: Thought you may want to know this - Internet connection was up and running just fine during the process of changing the outside IP address.

Thank you so much for your help!


New Member

Re: STATIC doesn't work

Hi Jimmy,

Internet connection generally stays up but to avoid any risks I always recommend adding that one-liner.


Manish Kharbanda

New Member

Re: STATIC doesn't work


I appreciate your professionalism!!!!

Have a Great week-end!!!


CreatePlease to create content