https://community.cisco.com/t5/network-security/static-nat-problem/m-p/1131931#M893086 <HTML><HEAD></HEAD><BODY><P>Maybe a packet cpature between the two (or on the pix/asa) will shed some light. From the firewall you can ping the VIP correct?</P></BODY></HTML> Mon, 24 Nov 2008 19:01:11 GMT Collin Clark 2008-11-24T19:01:11Z https://community.cisco.com/t5/network-security/static-nat-problem/m-p/1131926#M893072 <P>I am trying to map a Public IP to private Virtual IP on the load balancer which forwards the traffic to web servers.</P><P></P><P>I have done all the necessary configurations on ASA, but the web service is still not accessible from the internet.</P><P></P><P>Configuration: </P><P>Outside IP: 95.12.60.31</P><P>Inside IP (VIP): 10.1.1.1</P><P></P><P>static (inside,outside) 95.12.60.31,10.1.1.1 netmask 255.255.255.255</P><P></P><P>access-list outside_in extended permit ip any any</P><P></P><P>access-group outside_in in interface OUTSIDE</P><P></P><P>The web service is accessible locally on 10.1.1.1 IP. While I am accessing via the public IP over the internet I can see following on 'sh conn' display</P><P></P><P>TCP out 66.72.101.23:2984 in 10.1.1.1:80 idle 0:00:02 bytes 0 flags AX</P><P></P><P>What could be wrong. Please assist. </P> Mon, 11 Mar 2019 14:17:36 GMT https://community.cisco.com/t5/network-security/static-nat-problem/m-p/1131926#M893072 new_networker 2019-03-11T14:17:36Z https://community.cisco.com/t5/network-security/static-nat-problem/m-p/1131927#M893074 <HTML><HEAD></HEAD><BODY><P>Does your load balancer have a default route going out?</P></BODY></HTML> Mon, 24 Nov 2008 18:23:55 GMT https://community.cisco.com/t5/network-security/static-nat-problem/m-p/1131927#M893074 Collin Clark 2008-11-24T18:23:55Z https://community.cisco.com/t5/network-security/static-nat-problem/m-p/1131928#M893076 <HTML><HEAD></HEAD><BODY><P></P><P>Yes. The default route is present. </P><P></P><P>I didn't mention earlier that the ping to public IP over the internet is successful. I have also configured the load balancer for ping requests. </P><P></P><P>Any other clues.</P></BODY></HTML> Mon, 24 Nov 2008 18:34:03 GMT https://community.cisco.com/t5/network-security/static-nat-problem/m-p/1131928#M893076 new_networker 2008-11-24T18:34:03Z https://community.cisco.com/t5/network-security/static-nat-problem/m-p/1131929#M893080 <HTML><HEAD></HEAD><BODY><P>When the NAT translation dies, what is the byte count? I assume you have hit counts on your ACL?</P></BODY></HTML> Mon, 24 Nov 2008 18:39:39 GMT https://community.cisco.com/t5/network-security/static-nat-problem/m-p/1131929#M893080 Collin Clark 2008-11-24T18:39:39Z https://community.cisco.com/t5/network-security/static-nat-problem/m-p/1131930#M893083 <HTML><HEAD></HEAD><BODY><P>Yes. There are hit counts on the access-list for every hit via the browser. Something like <HITCNT> 0xd1647829.</HITCNT></P></BODY></HTML> Mon, 24 Nov 2008 18:59:44 GMT https://community.cisco.com/t5/network-security/static-nat-problem/m-p/1131930#M893083 new_networker 2008-11-24T18:59:44Z https://community.cisco.com/t5/network-security/static-nat-problem/m-p/1131931#M893086 <HTML><HEAD></HEAD><BODY><P>Maybe a packet cpature between the two (or on the pix/asa) will shed some light. From the firewall you can ping the VIP correct?</P></BODY></HTML> Mon, 24 Nov 2008 19:01:11 GMT https://community.cisco.com/t5/network-security/static-nat-problem/m-p/1131931#M893086 Collin Clark 2008-11-24T19:01:11Z https://community.cisco.com/t5/network-security/static-nat-problem/m-p/1131932#M893088 <HTML><HEAD></HEAD><BODY><P>Yes. I am able to ping the VIP from firewall. </P><P></P><P>I will try the capture tommorow. In the meanwhile any other suggestions will be great. </P></BODY></HTML> Mon, 24 Nov 2008 19:15:36 GMT https://community.cisco.com/t5/network-security/static-nat-problem/m-p/1131932#M893088 new_networker 2008-11-24T19:15:36Z