Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
406
Views
0
Helpful
3
Replies

ASA 5525 and 9.x NAT issue

Matus Kozak
Level 4
Level 4

‎12-13-2014 08:44 AM - edited ‎03-11-2019 10:13 PM

Hello, I have a two proxy servers in dmz which are doing tcp connection to outside to main proxy server on tcp port 8080.
The dmz servers have IP 10.x.x.203 and 204. I'm doing object NAT

object network obj-10.x.x.0
 nat (dmz,outside) dynamic interface

one server is working fine, the second not. The other protocols are working fine from both servers. Only tcp 8080 to outside is problem, first is working, second not.
When I add dmz ACL and block working server, the second start working. Too when I add static nat to other outside IP for this server it start working.
It looks like as some kind of bug with nat or conn table or something. Did somebody face similar issue?

thanks.

Labels:
0 Helpful
3 Replies 3

Rishabh Seth
Level 7
Level 7

‎12-13-2014 11:13 AM

Hi,

I think there can also be some issue with outside main proxy server. 

As per what you have described above, the main proxy server is not allowing two connections from same IP address.

As per your nat DMZ traffic in source NATed to outside interface IP address. That means when both servers try to communicate to main proxy server, the source will be seen as ASA outside IP address.

Now by denying the traffic with acl or by using different static IP address, you are basically using unique IP address for communication with main proxy server.

Is it possible that there is some configuration on main proxy server that can result in such behaviour?

Also in your post you have mentioned that other protocols are working fine. So is it for DMZ server to OUTSIDE main proxy server?

Thanks,

Rishabh 

0 Helpful

Matus Kozak
Level 4
Level 4
In response to Rishabh Seth

‎12-13-2014 12:05 PM

thanks for your reply. Is there a way how can the main proxy identify flows from one IP that they belongs to differents hosts behind asa fw?

0 Helpful

Rishabh Seth
Level 7
Level 7
In response to Matus Kozak

‎12-14-2014 08:33 AM

I don't think that is possible, because after NAT the data stream will look like coming from ASA's interface IP. The only parameter that will be different is source ports.

If you have two public IP addresses then you can use them to NAT traffic from each DMZ servers.
 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card