Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ASA5510 Strange NAT Problem

Status
Not open for further replies.
ssalyers

ssalyers

IS-IT--Management
Jun 29, 2011
3
CA
Hello all and thanks in advance for any help. Sorry to be so long-winded but it is a fairly complicated setup and wanted to give an overview of the entire config.Here is my situation I have a Cisco ASA5510 and we have 2 ISPs (PrimaryISP & BackupISP). We have recently changed our PrimaryISP but these problems developed LONG after that. The PrimaryISP is an ethernet handoff from a fiber circuit that goes into an open switch and then to the ASA. The backup circuit is an ethernet handoff that goes into a Cisco 1841 router and then into the same open switch which is then connected to a different port on the ASA. The PrimaryISP IP block is a /25. The BackupISP consisits of a /29 (public address on ASA) plus an additional /26 AND /25. The BackupISP circuit is used for Site-to-Site VPN connections from HQ to the datacenter and remote offices. It also serves incoming connections and as backup for our Anyconnect VPN clients and backup internet access at HQ. The ISP for the Backup had an outage about 2 weeks ago and since the outage I am unable to get incoming NAT rules to work. I can see the traffic passing through the 1841 to the ASA but once at the ASA I get a "no valid adjacency" as well as other erros. I have cleared xlate and arp, rebooted the ASA and the 1841, cleaned the config of all ACL's & NAT rule that would affect it and readded a single NAT that will not work for any of the BackupISP's ranges. Everything else (Anyconnect, site-to-site etc...) is working correctly.
 
Sort by date Sort by votes
I would suspect there is something still wrong with the circuit. If the configuration hasn't changed and you haven't upgraded the code when your provider comes back up you should be good to go. Are you using any ip sla?
 
Upvote 0 Downvote
I agree but I have been through hours of trouble shooting with them and a tracroute shows it getting to our Cisco 1841 router. From within the router when I add a NAT entry, I can ping it and get replies so the traffic is getting to the ASA. When I look at the traffic in a syslog server I see it getting to the ASA from an external source. I'm thoroughly stumped!

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
ASA5510 - SSL Cert
Replies
0
Views
196
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
309
intel233
intel233
steve777777
  • Locked
  • Question
Cisco ASA VPN+NAT
Replies
0
Views
72
steve777777
steve777777
ITSUPPORTIT
  • Locked
  • Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
77
ITSUPPORTIT
ITSUPPORTIT
joblack23
  • Locked
  • Question
ASA5510 EOL
Replies
1
Views
96
iggsterman
iggsterman

Part and Inventory Search

Sponsor

Back
Top