https://community.cisco.com/t5/network-security/nat-will-not-work/m-p/2445403#M269233 <HTML><HEAD></HEAD><BODY><P>If the packet tracer shows as allowed, I would do a packet capture.&nbsp; This will give us a good idea if the packets is entering and leaving the outside interface, as well as entering and leaving the inside interface.&nbsp; Please post the results here for further assistance.</P><P></P><P>here is a link on how to perform a packet capture:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110117-asa-capture-asdm-config.html">http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110117-asa-capture-asdm-config.html</A></P><P></P><P>-- <BR />Please remember to rate and select a correct answer</P></BODY></HTML> Fri, 21 Feb 2014 08:19:53 GMT Marius Gunnerud 2014-02-21T08:19:53Z https://community.cisco.com/t5/network-security/nat-will-not-work/m-p/2445401#M269231 <P>I have the following configured on an ASA running 9.1(2)</P><P></P><P>object network Webserver</P><P> Host&nbsp; 10.10.10.1</P><P> nat (DMZ,outside) static 208.2.3.4</P><P></P><P>Access-list knock_knock extended permit tcp any object Webserver eq http</P><P></P><P>Access-group <SPAN style="font-size: 10pt;">knock_knock </SPAN><SPAN style="font-size: 10pt;">in interface outside</SPAN></P><P></P><P>BUT.. I still cannot get to the the webserver from the outside(internet). so I captured some logs and found that the NAT and access list mentioned above are actually working (please see the attached screen capture)</P><P><IMG src="https://community.cisco.com/legacyfs/online/legacy/6/2/0/181026-DMZ%20Trouble.JPG" alt="DMZ Trouble.JPG" class="jive-image-thumbnail jive-image" onclick="" width="450" /></P><P></P><P>The NAT is definitely working since my independent test from the outside registers as "hits" each time I try to get to the HTTP server. The logs tell me that it Builds and Tears down the attempted connection instantaneously. Since I know that the NAT and the access list on the outside interface are both working components, troubleshooting them would be a waste of time. The Server itself can access the internet(outside) without any issues from behind the DMZ where it lives. I tested it's ability to do so by logging on and browsing the internet (yahoo, CNN etc..) so the basic principles of the server are fine (IP, Gateway Subnet connectivity etc..)&nbsp; </P><P><BR style="font-family: 'Droid Serif', Georgia, 'Times New Roman', serif; color: #222222; line-height: 20px; background-color: #ffffff;" /></P><P>What would you do at this point? </P><P><BR style="font-family: 'Droid Serif', Georgia, 'Times New Roman', serif; color: #222222; line-height: 20px; background-color: #ffffff;" /></P><P>Thanks in advance</P><P style="text-align: left;"><SPAN style="font-size: 10pt;"><BR /></SPAN></P> Tue, 12 Mar 2019 03:48:15 GMT https://community.cisco.com/t5/network-security/nat-will-not-work/m-p/2445401#M269231 chris.mcdermott 2019-03-12T03:48:15Z https://community.cisco.com/t5/network-security/nat-will-not-work/m-p/2445402#M269232 <HTML><HEAD></HEAD><BODY><P>Hey ,</P><P></P><P>Please check the output of the following command from the firewall.</P><P></P><P>#packet-tracer input dmz tcp <SOURCE ip=""> http <DESTINATION ip=""> http</DESTINATION></SOURCE></P><P></P><P>Thanks</P></BODY></HTML> Fri, 21 Feb 2014 04:51:09 GMT https://community.cisco.com/t5/network-security/nat-will-not-work/m-p/2445402#M269232 vishaw jasrotia 2014-02-21T04:51:09Z https://community.cisco.com/t5/network-security/nat-will-not-work/m-p/2445403#M269233 <HTML><HEAD></HEAD><BODY><P>If the packet tracer shows as allowed, I would do a packet capture.&nbsp; This will give us a good idea if the packets is entering and leaving the outside interface, as well as entering and leaving the inside interface.&nbsp; Please post the results here for further assistance.</P><P></P><P>here is a link on how to perform a packet capture:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110117-asa-capture-asdm-config.html">http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110117-asa-capture-asdm-config.html</A></P><P></P><P>-- <BR />Please remember to rate and select a correct answer</P></BODY></HTML> Fri, 21 Feb 2014 08:19:53 GMT https://community.cisco.com/t5/network-security/nat-will-not-work/m-p/2445403#M269233 Marius Gunnerud 2014-02-21T08:19:53Z