Hi,

Please find in attached the "sh nat" and the "sh run" result.

I don't get nothing from packet-capture...

KR

I don't understand.

Your NAT output and your running config does not show the static statements in your original post ?

Did you remove them ?

Anyway, put them back in and change this statement -

nat (VLAN1,outside-OVH) source dynamic NET-VLAN1 interface

to be

nat (VLAN1,outside-OVH) after-auto source dynamic NET-VLAN1 interface

and try again.

Jon

Thank for your reply.

That didn't work anyway. Please find the new sh run in attached.

I get the same error:

Indeed, I removed my previous nat for testing.

Arthur

Can you do a "sh nat" again and post the output.

And from the CLI can you run the packet-tracer command, I made a mistake on the interface name so -

"packet-tracer input outside-OVH tcp 8.8.8.8 12345 <public IP of web server> 80"

Jon

Please find the file in attached.

Thanks,

Arthur

The problem is it is not using your static NAT statements which usually means it is matching one of your rules before that.

Although I can't see which rule it would be matching.

Can you try doing a "clear xlate" and retesting.

Jon

I send a "clear xlate" command, but it remain the same issue (syslog id 710003).

Maybe is the issue occur because I try to NAT outside to inside with the same IP address that the outside-OVH interface?

Arthur

Arthur

You mean this line -

nat (outside-OVH,VLAN1) source dynamic any interface destination static NET-VLAN1 NET-VLAN1

yes, I did wonder whether that was the line that was somehow matching but as far as I understand it that should only match if the destination IP was 192.168.1.x but it won't be.

The incoming packet should have an public IP, the IP of the outside interface.

You can try removing it temporarily to see what effect it has.

Bear in mind that even if it had matched the static PAT statement it would not then have gone back to the above rule so you wouldn't have translated all the source IPs (internet IPs) to the inside interface.

Or at least that's my understanding of it.

It you do remove it and it does work then I really don't understand 8.3 NAT as well as I thought I did :-)

Jon
 

Jon,

I disable this line:

      nat (outside-OVH,VLAN1) 3 source dynamic any interface destination static NET-VLAN1 NET-VLAN1 inactive

But problem is already here :(

I don't really understand why "TCP access denied by ACL", or at least by which ACL...

However, please keep in mind that my ASA is in version 9.3, not 8.3 !

Arthur

Yes sorry, I meant post 8.3 NAT which is when it all changed :-)

Your packet-tracer output is talking about an acl but that is because it hasn't matched a NAT rule. It can be a bit misleading in terms of reading it.

What you should see in packet tracer is a specific NAT statement showing the translation but you aren't.

Can you try changing the "any" interface in your static statement to the specific interface and then retest.

Can you also post your running config again as it is now and I will have another look to see if there is anything obvious I have missed.

Jon

Ah ok :-)

I change the "any" interface to "VLAN1" interface in my static statement. I make a clear xlate, try again... and it the same issue again!

The new sh run in attached.

Arthur

Is there any traffic going through the ASA at the moment or this is a downtime period for you ?

If there isn't traffic we need to work out where the NAT is failing so can you -

1) run a "sh nat" and save the output

2) straight after that try and connect to the web server

3) run a "sh nat" again

we might be able to see which rule has increased in terms of translations which would give us a clue as to what is happening.

Jon