I'm sure this is a simple configuration issue but here is my issue:

We are running an HTTPS service on a host that is connected to our DMZ network on our ASA. This host and ASA can communicate just fine. I've created an ACL rule that allows HTTPS traffic from the outside world to the hosts DMZ IP address. I've also created a static NAT for the hosts DMZ IP address to the hosts public IP address. A request from the outside world creates a connection and can be seens via Wireshark on the host. However, a full handshake does not complete.

I see the following on the ASA:

show conn reports

TCP Internet 173.3.X.X:46061 DMZ 10.18.X.X:443, idle 0:00:00, bytes 0, flags SaAB

During this connection in Wireshark on the host I see the HTTPS request coming from the 173.3.X.X address which is followed by the host performing an ARP request asking who owns 173.3.X.X. This is where the communications chain stops. The 173.3.X.X host continues to try to access the site and I see the requests in Wireshark. I see the DMZ host continually request ARP for who owns 173.3.X.X but it never receives a reply.

Other hosts on this DMZ are working with other services (i.e. SMTP) but this one is not.

My ACL is:

access-list Internet_IN extended permit tcp any host 10.18.X.X eq https

My NAT is:

object network PublicServer_NAT4 (which equals 10.18.X.X)

nat (DMZ, Internet) static 24.38.X.X (which is the public IP of this service)

I've also restarted the ASA as I have seen strange issues like this fixed by a reboot in my past.

I'm running ASA v8.3.1.

Any help would be greatly appreciated.

Mike