2

We are in process of upgrading from an ASA5505 to an ASA5510. I have a co-location configured for 3 ranges of public IP addresses on two different subnets. The 5505 is working as expected.

Example (modified IPs): 174.136.1.1, 72.249.1.1, 72.249.2.1

The firewall is assigned to 174.136.1.2. When bringing the 5510 online, traffic does not route correctly when NAT rules are created for any IP addresses in this range: 72.249.1.1, 72.249.2.1

  • I confirmed the data packets route correctly when assigning a server to an IP that is on the same subnet as the firewall.
  • When configuring additional VLANs for IP ranges 72.249.1.1 and 72.249.2.1, all packets route correctly. I put a switch between the Firewall and Datacenter router. However we do not have enough IPs to assign to additional VLANS.
  • I tried to create a static route to 72.249.1.1, 72.249.2.1, that didn't work.
  • Packet trace results were a positive but I am not sure if I am doing it correctly.
  • I do see a Dynamic NAT rule on the 5505 vs Dynamic PAT rule on the 5510. I am unclear what the difference is. I think I have tried to toggle that on the 5510 with no luck.
  • I am researching subinterfaces on the 5510 but I'm not sure if that is the solution.

We have a small window to do the firewall upgrade and that is typically late night. I've tried multiple times with no luck. I can't create a test bed environment at the office. I may request another drop from the datacenter for testing purposes. Any help would be appreciated. I can post the full config.

manit
  • 137
  • 2
  • 9
  • Have you tried with static nat and correcct access lists (assuming the routing by your ISP is ok for two different blocks)? Also can you see if this is configured: `arp permit-nonconnected`? – Diamond Jan 18 '16 at 19:50
  • Yes all the NATs are static. I have about 10 servers. All severs with a static NAT using the IP address that is on the same subnet as the firewall works fine. I have this in the config. "no arp permit-nonconnected" – manit Jan 18 '16 at 20:26
  • You will need this option enabled I guess. Try it like this: `arp permit-nonconnected` and check again. – Diamond Jan 18 '16 at 20:45

1 Answers1

2

You will need arp permit-nonconnected enabled for the NAT to work properly.

arp permit-nonconnected

To enable the ARP cache to also include non-directly-connected subnets, use the arp permit-nonconnected command in global configuration mode. To disable non-connected subnets, use the no form of this command.

Usage Guidelines

The ASA ARP cache only contains entries from directly-connected subnets by default. When the no arp permit-nonconnected command is there (default behavior), the ASA rejects both incoming ARP requests and ARP responses in case the ARP packet received is in a different subnet than the connected interface.

Note that the first case (default behavior) causes a failure in case PAT is configured on the ASA and the virtual IP address (mapped) for PAT is in a different subnet than the connected interface.

Also, we do not recommend enabling this feature unless you know the security risks. This feature could facilitate denial of service (DoS) attacks against the ASA; a user on any interface could send out many ARP replies and overload the ASA ARP table with false entries.

You may want to use this feature if you use:

  • Secondary subnets.
  • Proxy ARP on adjacent routes for traffic forwarding.

Examples

The following example enables non-connected subnets:

ciscoasa(config)# arp permit non-connected

Diamond
  • 9,001
  • 3
  • 24
  • 38