10-06-2010 12:27 PM - edited 03-11-2019 11:51 AM
%ASA-session-6-302021: Teardown ICMP connection for faddr 192.168.1.109/0 gaddr 192.168.1.4/0 laddr 192.168.1.4/0
I have upgraded my ASA from 8.0 to 8.2.
However, none of static NAT working. All outside_access_in access-list has no HIT. Please help.
10-06-2010 01:15 PM
Hi Alex,
Can you post the config? That would help us identify where the problem lies.
-Mike
10-06-2010 01:35 PM
10-06-2010 01:48 PM
Hi Alex,
Which static statements aren't working? I tried to connect to a handful on TCP/80 and they all seemed to go through.
-Mike
10-06-2010 01:51 PM
It is because the primary firewall with old 8.0 version is still in production.
I am updating the standby firewall and testing tonight.
But fail to access any of NAT, so I put it offline now.
10-06-2010 01:59 PM
Dear Support:
static (inside,outside) 210.177.218.1 192.168.1.23 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.2 192.168.1.24 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.3 192.168.1.11 netmask 255.255.255.255 dns
static (DMZ,outside) 210.177.98.33 192.168.41.63 netmask 255.255.255.255 dns
static (DMZ,outside) 210.177.98.35 192.168.41.62 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.4 192.168.1.51 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.11 192.168.1.20 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.12 192.168.1.18 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.16 192.168.1.19 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.17 192.168.1.48 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.18 192.168.2.16 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.19 192.168.1.81 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.20 192.168.1.17 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.21 192.168.1.26 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.22 192.168.1.37 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.23 192.168.1.52 netmask 255.255.255.255 dns
static (inside,outside) 210.177.218.24 192.168.1.54 netmask 255.255.255.255 dns
static (inside,outside) 210.177.98.36 192.168.1.53 netmask 255.255.255.255 dns
static (inside,outside) 210.177.98.38 192.168.1.27 netmask 255.255.255.255 dns
static (inside,outside) 210.177.98.39 192.168.1.65 netmask 255.255.255.255 dns
static (inside,outside) 210.177.98.40 192.168.1.30 netmask 255.255.255.255 dns
static (inside,outside) 210.177.98.42 192.168.1.3 netmask 255.255.255.255 dns
static (inside,outside) 210.177.98.43 192.168.1.71 netmask 255.255.255.255
static (inside,outside) 210.177.98.37 192.168.1.92 netmask 255.255.255.255 dns
None of them are able to ping or access via Internet.
10-06-2010 02:02 PM
Hi Alex,
Is this on the 8.0 or 8.2 unit? They cannot run simultaneously with the same config since the upstream router's ARP table will not be correct and won't know which firewall actually owns the public addresses.
-Mike
10-06-2010 02:06 PM
Dear Support:
The 8.0 unit is in production now. The 8.2 unit is currently offline. But I am wondering if there is any wrong configuration I have done in the 8.2 unit per attached file I sent since I can't get any of NAT server up.
Thanks.
10-06-2010 02:41 PM
Hi Alex,
I assume the 8.0 unit and the 8.2 unit have the exact same IP address and static NAT configurations, correct? And when you initially tested, you just swapped the 8.0 unit with the 8.2 unit and tested the NAT, correct?
The reason the static statements were most likely failing is because the upstream device (probably the ISP router) still had the IP addresses of the static associated with the MAC address of the 8.0 unit. To resolve this issue, you can simply clear the arp cache on the upstream device (clear arp-cache) if you have management access to it, or you can simply reload it to clear the arp cache as well.
Therefore, please try the following:
-replace the 8.0 ASA with the 8.2 ASA (I am assuming both devices have the exact same IP address assignment and configuration)
-clear the arp cache on the upstream device either with the command "clear arp-cache" or reloading the device
Hope that helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide