https://community.cisco.com/t5/network-security/inbound-nat-question/m-p/2106010#M394666 <HTML><HEAD></HEAD><BODY><P style="background-color: #ffffff; border-collapse: collapse; font-size: 11.818181991577148px; list-style: none; font-family: Arial, verdana, sans-serif;">My question is do I have to allow that server back out? I am running 8.4(2)</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 11.818181991577148px; list-style: none; font-family: Arial, verdana, sans-serif; min-height: 8pt;"><STRONG>No, you do not need that,</STRONG></P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 11.818181991577148px; list-style: none; font-family: Arial, verdana, sans-serif;">Or is the server taking the default route of the network back out which is out of ASA1?</P><P><STRONG>Should not be the case but just to make sure lets do a capture</STRONG></P><P><STRONG>This on the inside interface of ASA2</STRONG></P><P><STRONG>cap capin interface inside match tcp&nbsp; host inside_server&nbsp; host Outside_client</STRONG></P><P></P><P>Regards,</P><P></P><P>Julio</P></BODY></HTML> Thu, 06 Dec 2012 00:39:25 GMT Julio Carvajal 2012-12-06T00:39:25Z https://community.cisco.com/t5/network-security/inbound-nat-question/m-p/2106009#M394665 <P>I have a network with 2 ASA's with different blocks of IP's on each.</P><P></P><P>I have configured an inbound NAT to a web server on ASA2</P><P></P><P>The inbound NAT works fine, and when I hit the external address I get a hit on the access list and I see the connection made inbound</P><P></P><P>%ASA-6-302013: Built inbound TCP connection 11189017 for ASA_Public_IP:*.*.*.*/50038 (*.*.*.*/50038) to Web-Server:192.168.2.19/80 (*.*.*.*/80)</P><P></P><P>However that is it, it times out and dies</P><P></P><P>My question is do I have to allow that server back out? I am running 8.4(2)</P><P></P><P>Or is the server taking the default route of the network back out which is out of ASA1?</P><P></P><P>I couldnt' see anything in the logs on ASA1 to suggest this.</P><P></P><P>If anyone could advise on the routing behaviour of this setup, will the server just try to route back out to the remote address via the default and if so can I make the server go back out of ASA2?</P><P></P><P>I was looking into policy routing to change the default for that server to be ASA2</P><P></P><P><IMG src="https://community.cisco.com/legacyfs/online/legacy/8/8/4/117488-Cisco%20case.jpg" alt="Cisco case.jpg" class="jive-image-thumbnail jive-image" onclick="" width="450" /></P><P>Thanks</P><P></P><P>Roger</P> Tue, 12 Mar 2019 00:33:13 GMT https://community.cisco.com/t5/network-security/inbound-nat-question/m-p/2106009#M394665 roger perkin 2019-03-12T00:33:13Z https://community.cisco.com/t5/network-security/inbound-nat-question/m-p/2106010#M394666 <HTML><HEAD></HEAD><BODY><P style="background-color: #ffffff; border-collapse: collapse; font-size: 11.818181991577148px; list-style: none; font-family: Arial, verdana, sans-serif;">My question is do I have to allow that server back out? I am running 8.4(2)</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 11.818181991577148px; list-style: none; font-family: Arial, verdana, sans-serif; min-height: 8pt;"><STRONG>No, you do not need that,</STRONG></P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 11.818181991577148px; list-style: none; font-family: Arial, verdana, sans-serif;">Or is the server taking the default route of the network back out which is out of ASA1?</P><P><STRONG>Should not be the case but just to make sure lets do a capture</STRONG></P><P><STRONG>This on the inside interface of ASA2</STRONG></P><P><STRONG>cap capin interface inside match tcp&nbsp; host inside_server&nbsp; host Outside_client</STRONG></P><P></P><P>Regards,</P><P></P><P>Julio</P></BODY></HTML> Thu, 06 Dec 2012 00:39:25 GMT https://community.cisco.com/t5/network-security/inbound-nat-question/m-p/2106010#M394666 Julio Carvajal 2012-12-06T00:39:25Z