cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2078
Views
0
Helpful
18
Replies

ASA NAT Issue

bboston85
Level 1
Level 1

I hope someone can point me in the correct direction here.

I have a client that needs 4 machines with static internal addresses. He is using a remote filtering service that filters by public IP. I have set the proper NAT and Global statements I believe. The unfiltered and filtered machines are all on the same /24 subnet so I setup object-group lists with individual ip ranges for filtered and unfiltered and then created access-lists that are mapped via the NAT statements. Basically, I need client IP's 192.168.1.1-35 to be on one public IP and clients 192.168.1.130-140 on a separate public IP.

After setting all that up I get a SYN Timeout statement in the logs, it looks to me as if the traffic gets out but does not route back in. The second public IP I am using is available and points through our perimeter router so there is no issue there.

Do I need a static statement to translate the secondary IP in to the public side?

Thanks,

Bryan.

18 Replies 18

Bryan,

Let's nailed down the problem.

1. You say that you can PING the internet from the inside host? ie ping 4.2.2.2

2. If this is true, nat/global are working fine and you might have an ACL applied to the inside interface not allowing web or dns traffic.

3. To check that traffic is flowing through the ASA in the outbound direction, can do a ''sh xlate local x.x.x.x'' where x.x.x.x is the IP of the inside device. This will show the translation taking place.

4. To reassure that traffic is being sent out by the ASA can apply an ACL outbound to the outside interface

ie access-list TEST permit tcp host PUBLIC_IP any eq 80

   access-list TEST permit ip any any

   access-group TEST out interface outside

If you do get hitcounts on the first line ''sh access-list TEST'' then traffic is being sent out by the ASA for outgoing web requests.

5. To check if traffic is coming back to the ASA, we can check the logs.

For web connections, the TCP should establish the three-way handshake.

After this, you can share with us the running-config so we can check it out for you.

Federico.

Ok, I will try this out and get back to you with the results. If I'm still not successful I will send my config also.

Thanks.

I may have a chance to visit the client tomorrow. I will put together the config for what you have suggested and report back.

I did hear back from the ISP and they say the address I am using is routed back to me, so I was wrong about that unfortunately.

Thanks again for your help.

-Bryan

Ok, so I was able to figure out my issue here. Sorry for the long delay. I spoke with the ISP again after trying these suggestions and then just plugging my laptop in after the router and used the new public IP I was trying to set and also testing the original one that works on the ASA. As I suspected, I was able to get out with the same IP as our ASA but not with the new IP. I then found out that they block all traffic, aside from ICMP, with access lists so that they can prevent usage on other IP's withoug first using their proxy filter. I asked them to add the new IP to the access-list and voila... it works.

Thankfully that is over and I can not try to re-grow my hair again.

Thanks again for all of your help.

Bryan.

Review Cisco Networking for a $25 gift card