Announcement

Collapse
No announcement yet.

ASA assuming IP address of server?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA assuming IP address of server?

    One of my clients has a Lync Edge server in their DMZ. They also recently migrated to ASAs for their firewalls.

    After rebooting their edge server, it now says that there's an IP conflict with the configured IP address. Looking at the ARP table on the server it shows the ASA's MAC address on the servers IP address. From other servers in the DMZ we also see the ASA's MAC address on the server's IP address.

    I'm thinking this has something to do with the NAT configuration but I'm not very strong with ASA configs.

    Any ideas would be helpful. Attached is a sanitized running-config of the ASA.
    ASA_sanitized.txt
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

  • #2
    Re: ASA assuming IP address of server?

    I'm fairly new to ASAs as well, but it appears this one's running in a failover config, yes? If so, it's got 2 IPs on it's DMZ interface (Gi 0/2). Is one of those IPs the one that matches the server?

    When a device runs in a failover situation, it's usually configured one of 2 ways:
    A) each device knows about the IP of the others, so if 2 devices are in a failover setup, then each device would have it's own address as primary and it's twin's as secondary.
    B) each device has it's own IP, so 2 are used, and a 3rd is needed as a virtual interface so that clients refer traffic to that 3rd IP, and whichever device is available answers. The 2 devices use their own IPs as source/destination to coordinate with each other, separately.

    Have you allowed for that?

    If I'm completely off the mark, I'll apologize now.
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

    Comment


    • #3
      Re: ASA assuming IP address of server?

      Yup, in a failover. Scenario A. And we have accounted for the ASA's IPs so there should be no conflict there.

      Here's a bit more info. After the initial reboot when we saw the error, we changed the IP address to another free one, then changed the NAT and ACL settings on the ASA and things worked fine for a bit. Then another reboot was needed and the conflict was on the new IP now.
      Regards,
      Jeremy

      Network Consultant/Engineer
      Baltimore - Washington area and beyond
      www.gma-cpa.com

      Comment


      • #4
        Re: ASA assuming IP address of server?

        This is a strange one as each nic should have a unique ip address.
        Is there a switch between the ASA and the server? The switch would be a good place to investigate as it builds the ip to mac associations in its cam table.
        also is there anything in event viewer of the server?
        Maybye running a wireshark capture may reveal some further info.
        Please remember to award reputation points if you have received good advice.
        I do tend to think 'outside the box' so others may not always share the same views.

        MCITP -W7,
        MCSA+Messaging, CCENT, ICND2 slowly getting around to.

        Comment


        • #5
          Re: ASA assuming IP address of server?

          I'll check that out today and let you know.
          Regards,
          Jeremy

          Network Consultant/Engineer
          Baltimore - Washington area and beyond
          www.gma-cpa.com

          Comment


          • #6
            Re: ASA assuming IP address of server?

            Is the ASA doing proxy ARP for the server? If so, that might explain it.

            Comment


            • #7
              Re: ASA assuming IP address of server?

              I know they're definitely doing proxy are on the external interface because of the way the IP blocks were assigned from the ISP and the limitations of the ASA (or the consultants that implemented the solution). But I think you might be on to something there... I just noticed this in the NAT statements:

              Code:
              arp outside 3.x.x.67 bc16.651f.e5ab alias
              arp outside 3.x.x.73 bc16.651f.e5ab alias
              arp outside 3.x.x.74 bc16.651f.e5ab alias
              arp outside 3.x.x.75 bc16.651f.e5ab alias
              arp outside 3.x.x.76 bc16.651f.e5ab alias
              arp outside 3.x.x.68 bc16.651f.e5ab alias
              arp outside 3.x.x.71 bc16.651f.e5ab alias
              arp outside 3.x.x.72 bc16.651f.e5ab alias
              arp outside 3.x.x.69 bc16.651f.e5ab alias
              arp outside 3.x.x.70 bc16.651f.e5ab alias
              arp timeout 14400
              arp permit-nonconnected
              nat (inside,outside1) source static NETWORK_OBJ_10.27.0.0_20 NETWORK_OBJ_10.27.0.0_20 destination static net-10.27.128.0 net-10.27.128.0 no-proxy-arp route-lookup
              nat (inside,outside) source static NETWORK_OBJ_10.27.0.0_20 NETWORK_OBJ_10.27.0.0_20 destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp route-lookup
              nat (inside,outside) source static NETWORK_OBJ_10.27.0.0_20 NETWORK_OBJ_10.27.0.0_20 destination static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 no-proxy-arp route-lookup
              nat (inside,outside) source static NETWORK_OBJ_10.27.0.0_20 NETWORK_OBJ_10.27.0.0_20 destination static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 no-proxy-arp route-lookup
              nat (inside,outside) source static NETWORK_OBJ_10.27.0.0_20 NETWORK_OBJ_10.27.0.0_20 destination static DM_INLINE_NETWORK_5 DM_INLINE_NETWORK_5 no-proxy-arp route-lookup
              nat (inside,outside) source static NETWORK_OBJ_10.27.0.0_20 NETWORK_OBJ_10.27.0.0_20 destination static DM_INLINE_NETWORK_6 DM_INLINE_NETWORK_6 no-proxy-arp route-lookup
              nat (inside,dmz) source static Host-172.16.10.16 Host-172.16.10.16 route-lookup
              nat (inside,dmz) source static Host-172.16.10.14 Host-172.16.10.14 route-lookup
              nat (inside,outside) source static NETWORK_OBJ_10.27.0.0_20 NETWORK_OBJ_10.27.0.0_20 destination static DM_INLINE_NETWORK_9 DM_INLINE_NETWORK_9 no-proxy-arp route-lookup
              nat (inside,outside) source static any any destination static NETWORK_OBJ_10.27.5.248_29 NETWORK_OBJ_10.27.5.248_29 no-proxy-arp route-lookup
              nat (inside,outside) source static any any destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
              And I'm now just realizing I didn't specify the IP I'm having issues with. It's 172.16.10.16. Can we add "no-proxy-arp" to the end of the highlighted config?
              Regards,
              Jeremy

              Network Consultant/Engineer
              Baltimore - Washington area and beyond
              www.gma-cpa.com

              Comment

              Working...
              X