Well it looks like it is simply skipping the static NAT in section 2 and going straight to section 3.

Why it's doing that I have no idea :-)

So we can try a couple of things.

Firstly let's move your section 3 dynamic NAT to section 2. Static takes precedence over dynamic so your statics should be used first. I just want to see if section 2 is being used at all.

So replace -

nat (VLAN1,outside-OVH) after-auto source dynamic NET-VLAN1 interface

with this -

object network NET-VLAN1
nat (VLAN1,outside-OVH) dynamic interface

then do a "sh nat" and it should show both the static and dynamic NAT entries in section 2 now.

Record the "sh nat" as before, retest and see what happens.

Jon

I make the modification, and get the show nat output (in attached).

The problem occur again :(

Arthur

Arthur

We'll hopefully get there in the end :-)

Can you remove the static statement you currently have and add this -

nat (VLAN1,outside-OVH) source static NAT-SERVEUR-HTTP-IN NAT-SERVEUR-HTTP-IN service http http

and do the "sh nat" outputs and retest.

Jon

Yes I hope so :)

I make modification, clear xlate, and... That don't work...

Sh nat result in attached.

Arthur

PS: If you want try to see in real time, maybe we can schedule a teamviewer - if you want?

Yes we may have to.

Before you do anything else can you run another packet-tracer eg.

"packet-tracer input outside-OVH tcp 8.8.8.8 12345 <public IP> 80"

and post results. I suspect it will show the same but just want to check.

Then can you revert to back to where we were before. So -

1) remove the static NAT statement you just added and put it back as it was in section 2.

2) remove the dynamic NAT from section 2 and move it back to section 3.

then run a "sh nat" and post together with the packet-tracer output.

Then if possible can you save the configuration, reboot the firewall and run the same packet-tracer command again.

I don't like rebooting devices but every now and then it does help.

Apologies for all the messing around but it's not obvious (at least to me) why this isn't working.

Jon

Sorry for delay.

Please find in attache the result of packet-tracert command, sh nat, sh run, sh nat after reboot.

Don't worry, I'm suprised myself about this problem... I already deploy a similar config without problem.

Arthur

I cannot see a single thing wrong with your configuration.

The only thing I can suggest, although I am not too hopeful, is to create an entirely new object for the server and try that eg.

object network HTTP-SERVER
host 192.168.1.2
nat (VLAN1,outside-OVH) static interface service tcp http http

Jon

It reassure me that I did'nt make anything wrong :-)

However that's nice...

I try to delete and recreate a new HTTP-SERVER object, and I keep the same issue...

Maybe a bug? I don't have see similar issue in the release note but, maybe can I try an update if you think that can help us about this issue?

Arthur

It might be a bug but I didn't find any mention of one specific to this in the release notes.

I notice you are running PPPoE and I have never used that but I can't see why that would stop it working.

Also noticed you have other services setup for external access but as you have no static statements I assume they are not working ?

If it was me I would cut the configuration down to a bare minimum just to test ie. no NAT rules that weren't currently in use and an acl that had a line simply for the server.

As far as I can tell the issue is that every "sh nat" has shown your static statement being skipped and it matches the dynamic one instead and I can't understand why it is doing that.

I assume you are testing by accessing from an internet IP but even if there was an issue there the packet tracer output should have shown something and it didn't.

If there is anything else you can think of I'm only too happy to try and work this through with you but I am not seeing what the problem is at the moment.

Jon

OK for the RN, that confirm that I read.

PPPoE work fine for another thing: I can access to the internet from inside, remote VPN is up and running fine.

For the other service, I try to configure but I have the same issue.

Indeed I am testing from a mobile network, and I get a log in RealTime monitoring with syslog id 71003.

I try to update the firewall and make some test, maybe the problem can be solved by this way. Or maybe another readers can have an idea?

I keep you inform.

Arthur

Good day. I am assuming that "shrun3" and "shnat5" are the last changes you made and are the current configurations on your ASA. If so, please see below?

• What is the purpose of this NAT rule

nat (VLAN1,outside-OVH) source static NET-VLAN1 NET-VLAN1 destination static NETWORK_OBJ_10.0.33.0_24 NETWORK_OBJ_10.0.33.0_24 no-proxy-arp route-lookup

• Is the purpose of this rule below to provide internet access to the VLAN1 servers? If so, can you disable temporarily? This rule is getting all the hits.

object network NET-VLAN1
nat (VLAN1,outside-OVH) dynamic interface

• What is the purpose of this rule below? Can you remove it for testing?

nat (outside-OVH,VLAN1) source dynamic any interface destination static NET-VLAN1 NET-VLAN1 inactive

• I also noticed you have the VLAN1 network defined as a split tunnel network. Are you sending this network over the tunnel interface?

Hi,

Yes you are correct: "shrun3" and "shnat5" are the last changes and is the current configuration on my ASA.

• nat (VLAN1,outside-OVH) source static NET-VLAN1 NET-VLAN1 destination static NETWORK_OBJ_10.0.33.0_24 NETWORK_OBJ_10.0.33.0_24 no-proxy-arp route-lookup => this is the NAT used by remote VPN connection
• object network NET-VLAN1
  nat (VLAN1,outside-OVH) dynamic interface => I already try to disable it but problem remain the same
• nat (outside-OVH,VLAN1) source dynamic any interface destination static NET-VLAN1 NET-VLAN1 inactive => this rule is inactive, so I hope that no impact for my issue!
• Regarding the split tunneling, it use by remote VPN connection.

But issue is from outside to inside on http port.

Outside:80 --- > Outside-OVH (ASA) ---> NAT to 192.168.1.2:80

KR

Can you try this please?

Delete the inactive rule from your config.

Delete this rule from your config - nat (VLAN1,outside-OVH) dynamic interface

Add the after-auto keyword to this rule below.

nat (VLAN1,outside-OVH) source static NET-VLAN1 NET-VLAN1 destination static NETWORK_OBJ_10.0.33.0_24 NETWORK_OBJ_10.0.33.0_24 no-proxy-arp route-lookup

Can you for testing purposes also disable the Split Tunnelling rule?

The issue is that you are applying multiple NAT rules to the 192.168.1.0/24 subnet, and you are also applying a split tunnelling rule to that subnet. So multiple rules can apply to the traffic. By process of elimination we can find out where the problem is. 

I try this, but issue remain the same.

Please fin din attached the config then I tested, sh nat result, and logs received on the ASDM.

However, I added the following after my test:

object network NET-VLAN1
 nat (VLAN1,outside-OVH) dynamic interface

Because without that I don't can use the internet access from VLAN 1.

Arthur