INTRODUCTION OF A NEW CISCO ASA CAUSING INTERNAL LAN PROBLEM
i had ASA 5510 and i copied the configs to new ASA 5512 but some changes on the nat. everything works as in the ASA 5510 however my LAN is very unstable. user connection time-out to my LAN SERVERS and even remote users on the remote access vpn also experienced network time out.
please below the changes on the nat. can anyone check if there is a problem on this statement that might cause my network instability
..........................
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.16 8.17.0_25 NETWORK_OBJ_192.168.17.0_2
!
object network asy_server
nat (outside,dmz) static 192.168.32.199
object network HRIS
nat (outside,inside) static 192.168.0.100
object network ASY
nat (outside,dmz) static 192.168.32.199
object network BANKSRM
nat (outside,dmz) static 192.168.32.15
object network Hris
nat (outside,inside) static 192.168.0.100 service tcp 3040 https
object network Mails
nat (outside,inside) static 192.168.0.99 service tcp 3000 https
object network mails
nat (inside,outside) static 192.168.0.99 service tcp 3000 https
object network ob32-192.168.32.0
nat (dmz,vpns) static 192.168.32.0
object network obj-192.168.20.0
nat (vpns,dmz) static 192.168.20.0
object network obj-192.168.0.0
nat (inside,vpns) static 192.168.0.0
!
nat (inside,outside) after-auto source dynamic any interface description PAT
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group 150 out interface inside
access-group dmz_access_in in interface dmz
access-group vpns_access_in in interface vpns
!
please below the changes on the nat. can anyone check if there is a problem on this statement that might cause my network instability
..........................
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.16 8.17.0_25 NETWORK_OBJ_192.168.17.0_2
!
object network asy_server
nat (outside,dmz) static 192.168.32.199
object network HRIS
nat (outside,inside) static 192.168.0.100
object network ASY
nat (outside,dmz) static 192.168.32.199
object network BANKSRM
nat (outside,dmz) static 192.168.32.15
object network Hris
nat (outside,inside) static 192.168.0.100 service tcp 3040 https
object network Mails
nat (outside,inside) static 192.168.0.99 service tcp 3000 https
object network mails
nat (inside,outside) static 192.168.0.99 service tcp 3000 https
object network ob32-192.168.32.0
nat (dmz,vpns) static 192.168.32.0
object network obj-192.168.20.0
nat (vpns,dmz) static 192.168.20.0
object network obj-192.168.0.0
nat (inside,vpns) static 192.168.0.0
!
nat (inside,outside) after-auto source dynamic any interface description PAT
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group 150 out interface inside
access-group dmz_access_in in interface dmz
access-group vpns_access_in in interface vpns
!
Jan Bacher
do you have "sysopt noproxyarp <inside interface>" configured?
ASKER
no it did not configure sysopt . i have my existing ASA 5510 configure to my new ASA 5512 on IOS 8.4+ but only make changes to the nat which was not compatible.
ASKER
my ASA has three vlans
1. for internet 192.168.0.0
2. data 192.168.320
3. outside hosting public ip
everything is working but the lan is not stable. the data network timeout every minute. there is something wrong with the asa config. because if i return back the old asa 5510 everything is stable again
1. for internet 192.168.0.0
2. data 192.168.320
3. outside hosting public ip
everything is working but the lan is not stable. the data network timeout every minute. there is something wrong with the asa config. because if i return back the old asa 5510 everything is stable again
>>i copied the configs to new ASA 5512 but some changes on the nat.
Do you have the before, (working) ASA5510 NAT config we can see?
P
Do you have the before, (working) ASA5510 NAT config we can see?
P
Also syntactically (is that a word?) this is correct but its very unusual;
Regards,
Pete
access-group inside_access_in in interface inside
access-group 150 out interface insideRegards,
Pete
ASKER
i am a novice in cisco , please tell me the right thing to do
ASKER
can i see the changes you made to the nat on the new ASA 5512.
ASKER
the two access-list are working with the old asa 5510, there is no network problem
1.access-group inside_access_in in interface inside
2, access-group 150 out interface inside
1.access-group inside_access_in in interface inside
2, access-group 150 out interface inside
ASKER
This is the ASA 5510 config
..........................
nat-control
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list nonat_dmz_to_other
nat (dmz) 101 0.0.0.0 0.0.0.0
nat (vpns) 0 access-list nonat_vpns_to_other
static (inside,outside) tcp interface 3040 192.168.0.100 3040 netmask 255.255.25
static (outside,inside) tcp interface 3033 192.168.0.119 3033 netmask 255.255.25
static (outside,inside) tcp interface 3040 192.168.0.100 3040 netmask 255.255.25
static (inside,outside) tcp interface smtp 192.168.0.99 smtp netmask 255.255.255
static (inside,outside) tcp interface pop3 192.168.0.99 pop3 netmask 255.255.255
static (inside,outside) tcp interface 1000 192.168.0.99 1000 netmask 255.255.255
static (inside,outside) tcp interface imap4 192.168.0.99 imap4 netmask 255.255.2
static (outside,inside) tcp interface 3000 192.168.0.99 3000 netmask 255.255.255
static (inside,outside) tcp interface 3000 192.168.0.99 3000 netmask 255.255.255
static (dmz,vpns) 192.168.32.0 192.168.32.0 netmask 255.255.255.0
static (vpns,dmz) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (inside,vpns) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group 150 out interface inside
..........................
access-group dmz_access_in in interface dmz
access-group vpns_access_in in interface vpns
.....
..........................
nat-control
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list nonat_dmz_to_other
nat (dmz) 101 0.0.0.0 0.0.0.0
nat (vpns) 0 access-list nonat_vpns_to_other
static (inside,outside) tcp interface 3040 192.168.0.100 3040 netmask 255.255.25
static (outside,inside) tcp interface 3033 192.168.0.119 3033 netmask 255.255.25
static (outside,inside) tcp interface 3040 192.168.0.100 3040 netmask 255.255.25
static (inside,outside) tcp interface smtp 192.168.0.99 smtp netmask 255.255.255
static (inside,outside) tcp interface pop3 192.168.0.99 pop3 netmask 255.255.255
static (inside,outside) tcp interface 1000 192.168.0.99 1000 netmask 255.255.255
static (inside,outside) tcp interface imap4 192.168.0.99 imap4 netmask 255.255.2
static (outside,inside) tcp interface 3000 192.168.0.99 3000 netmask 255.255.255
static (inside,outside) tcp interface 3000 192.168.0.99 3000 netmask 255.255.255
static (dmz,vpns) 192.168.32.0 192.168.32.0 netmask 255.255.255.0
static (vpns,dmz) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (inside,vpns) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group 150 out interface inside
..........................
access-group dmz_access_in in interface dmz
access-group vpns_access_in in interface vpns
.....
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.