ASA 8.4 NAT and Reply/Reverse traffic

Gordon Ross · ‎06-16-2011

I've got a 5520 running 8.4(1).

I've setup a simple NAT:

object network Test

host 10.10.10.1

object network Test

nat (inside,outside) static 1xx.xx.xx.xxx

I've also got a trivial access-list:

access-list inside_access_in_1 extended permit ip host 10.10.10.1 any

Running wireshark on the outside of the ASA, I can see the packets going out fine (the source address has been translated). I can see the replies coming in from the 'net. But the replies don't get through the ASA to the internal host.

What do I need to do to allow the reverse packets to get through the ASA back to the host ?

Thanks,

GTG

Please rate all helpful posts.

varrao · ‎06-16-2011

Hi Gordon,

Are you facing issue with internet access???

Run a quick test to chcek where the firewall is dropping the packet:

packet-tracer input inside tcp 10.10.10.1 2345 4.2.2.2 443 detailed

it should tell you if the packets are getting dropped somewhere.

Moreover collect logs as well.

Thanks,

Varun

Thanks,
Varun Rao

Gordon Ross · ‎06-16-2011

I ran the command, and that showed the packet getting through fine (Not surprising, we already know this)

We really need to be able to run the command for the reply packet. A simple reverse of the fields won't work 'cause we can't say that the packet is part of an existing flow.

What sort of logs do you want me to get ? (I'm assuming some form of debug output ?)

GTG

Please rate all helpful posts.

Maykol Rojas · ‎06-16-2011

Gordon,

Hi, please do the following:

capture asp type asp-drop all

That will tell you if the firewall is dropping the packets, you should be able to display the info of this capture like this:

show cap asp | inc

Also, are you having this same issue with all the internet pages? or is just one domain?

Mike