I do not believe you should be able to ping the outside interface of the ASA from the inside interface. By default the ASA will not allow a packet to exit the same interface it enters. I do not know of a way to change this behavior.

James

Thanks in advance.

got it to work using a layer2 switch trunked to the ASA’s

Yes, I have added the standby IP addresses however I am getting (waiting) failed on my outside interfaces…ooh so close

secure1/production# sh fail
Failover On
Last Failover at: 08:14:52 UTC Oct 11 2008
This context: Failed
Active time: 0 (sec)
Interface outside (xxx.xxx.136.18): Failed (Waiting)
Interface inside (10.10.3.10): Normal
Peer context: Active
Active time: 2428 (sec)
Interface outside (xxx.xxx.136.29): Normal (Waiting)
Interface inside (10.10.3.1): Normal

Stateful Failover Logical Update Statistics
Status: Configured.
Stateful Obj xmit xerr rcv rerr
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 1913 0
ARP tbl 0 0 15 0
Xlate_Timeout 0 0 0 0
SIP Session 0 0 0 0
secure1/production#

That doesn’t look right to me. I am not running Active/Active with contexts, but I do have a failover config. Here is the sh fail:

FW-ASA# sh fail
Failover On
Failover unit Primary
Failover LAN Interface: Failover GigabitEthernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
failover replication http
Version: Ours 8.0(4), Mate 8.0(4)
Last Failover at: 21:42:13 CDT Aug 18 2008
This host: Primary - Active
Active time: 4806765 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.0(4)) status (Up Sys)
Interface outside (X.X.X.226): Normal
Interface DMZ_Servers (10.10.48.1): Normal
Interface DMZ_VPN (10.10.49.1): Normal
Interface DMZ_InternetDump (10.10.126.1): Normal (Not-Monitored)
Interface inside (10.10.100.1): Normal
slot 1: ASA-SSM-20 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
IPS, 6.0(3)E1, Up
Other host: Secondary - Standby Ready
Active time: 266 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.0(4)) status (Up Sys)
Interface outside (X.X.X.227): Normal
Interface DMZ_Servers (10.10.48.2): Normal
Interface DMZ_VPN (10.10.49.2): Normal
Interface DMZ_InternetDump (10.10.126.2): Normal (Not-Monitored)
Interface inside (10.10.100.2): Normal
slot 1: ASA-SSM-20 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
IPS, 6.0(3)E1, Up

Stateful Failover Logical Update Statistics
Link : Unconfigured.

It looks like you setup the failover part correctly, but did not put the standby IP address on the interfaces. Here are 2 of the interfaces from my ASAs:

!
interface GigabitEthernet0/1.48
vlan 48
nameif DMZ_Servers
security-level 48
ip address 10.10.48.1 255.255.255.0 standby 10.10.48.2
!
interface GigabitEthernet0/1.49
vlan 49
nameif DMZ_VPN
security-level 49
ip address 10.10.49.1 255.255.255.248 standby 10.10.49.2

You have to add the standby interface to every interface.

Let me know if that helps.

Solution 3 was the answer!

You have no idea how frustrated I was getting not being able to ping from a host on my network. I looked everywhere in the Cisco documentation and I couldn’t find anything related to my problem.

Thanks!

got it working finally, that subinterfaces worked wonders…now i have a question

a context that is on standby will not have any ip addresses assigned to it?

ASA1 (production active and support standby)

secure1/support# sh fail
Failover On
Last Failover at: 23:47:28 UTC Oct 10 2008
This context: Standby Ready
Active time: 206 (sec)
Interface outside (0.0.0.0): Normal (Waiting)
Interface inside (0.0.0.0): Normal (Waiting)
Peer context: Active
Active time: 6539 (sec)
Interface outside (202.124.135.130): Normal (Waiting)
Interface inside (10.10.2.1): Normal (Waiting)

Stateful Failover Logical Update Statistics
Status: Configured.
Stateful Obj xmit xerr rcv rerr
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 3 0 18394 1
ARP tbl 0 0 507 21
Xlate_Timeout 0 0 0 0
SIP Session 0 0 0 0
secure1/support#

mnl-secure1/production# sh fail
Failover On
Last Failover at: 23:44:02 UTC Oct 10 2008
This context: Active
Active time: 7013 (sec)
Interface outside (119.111.136.29): Normal (Waiting)
Interface inside (10.10.3.1): Normal (Waiting)
Peer context: Failed
Active time: 0 (sec)
Interface outside (119.111.136.28): Failed (Waiting)
Interface inside (0.0.0.0): Normal (Waiting)

Stateful Failover Logical Update Statistics
Status: Configured.
Stateful Obj xmit xerr rcv rerr
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 34420 0 0 0
ARP tbl 74 0 0 0
Xlate_Timeout 0 0 0 0
SIP Session 0 0 0 0
secure1/production#

ASA2 (support active production standby)

nl-secure1/support# sh fail
Failover On
Last Failover at: 23:47:21 UTC Oct 10 2008
This context: Active
Active time: 6907 (sec)
Interface outside (202.124.135.130): Normal (Waiting)
Interface inside (10.10.2.1): Normal (Waiting)
Peer context: Standby Ready
Active time: 206 (sec)
Interface outside (0.0.0.0): Normal (Waiting)
Interface inside (0.0.0.0): Normal (Waiting)

Stateful Failover Logical Update Statistics
Status: Configured.
Stateful Obj xmit xerr rcv rerr
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 19537 0 3 0
ARP tbl 546 0 0 0
Xlate_Timeout 0 0 0 0
SIP Session 0 0 0 0
secure1/support#

secure1/production# sh fail
Failover On
Last Failover at: 23:47:08 UTC Oct 10 2008
This context: Failed
Active time: 0 (sec)
Interface outside (119.111.136.28): Failed (Waiting)
Interface inside (0.0.0.0): Normal (Waiting)
Peer context: Active
Active time: 7156 (sec)
Interface outside (119.111.136.29): Normal (Waiting)
Interface inside (10.10.3.1): Normal (Waiting)

Stateful Failover Logical Update Statistics
Status: Configured.
Stateful Obj xmit xerr rcv rerr
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 35262 10
ARP tbl 0 0 74 0
Xlate_Timeout 0 0 0 0
SIP Session 0 0 0 0
secure1/production#

any thoughts?

thanks a bunch

You are correct about dynamic and static NAT. The difference is in the way they are utilized.

Static NAT is generally used to make a static 1-to-1 mapping of IP addresses. In the example above, you are mapping 202.168.9.10 to 192.168.7.1. This is usefull if you have a server on the LAN or DMZ that you want to allow services from the outside world. This way, people accessing the 202.168.9.10 ip address will be redirected to the server at 192.168.7.1.

Dynamic NAT is used when you want multiple users behind the firewall to have access to the internet (or other network). In this case, you could allow all computers on the LAN to access the internet. However, the way your nat statement is written, only 192.168.7.1 will be able to access the internet. You could change it to allow the entire subnet to access the internet.

nat (inside) 100 192.168.7.0 255.255.255.0

Let me know if that didn’t answer your questions.

I have another question regarding ASA firewall, can I know what the different is between

1) global (outside) 100 202.168.9.10
nat (inside) 100 192.168.7.1
and
2) static (inside, outside) 202.168.9.10 192.168.7.1 netmask 255.255.255.255

From my understanding, the first one is consider dynamic NAT and second one is consider static NAT (Am I right?). And both of it also performing the same thing which is translating private ip addresses 192.168.7.1 to outside public addresses 202.168.9.10.

But I am bit confuse what is the different between both of them. I try surf for websites but cannot find any useful information of it.

When your guys performing NAT in ASA firewall, which command your all will be using? If both of this commands also performing the same functions, I really not understand and which NAT command that i need to use.

Thank you,
Have a nice day