Hi All,

I have a kind of basic question.

1)Firewall model -> Cisco Adaptive Security Appliance Software Version 8.2(5)

2)nat-control enabled

3)Inbound connection (initiated from the outside direct to inside)

3)regular static NAT configured

static (inside,outside) x.x.x.x 172.17.32.50 netmask 255.255.255.255

ASA-5540# show xlate detail | include 172.17.32.50
NAT from inside:172.17.32.50 to outside:x.x.x.x flags s

4)inside interface sec-level -> 100

5)outside interface sec-level -> 0

6)ACL applied to outside interface

access-group outside-in in interface outside

6)pubblic IP which start the connection is: y.y.y.y

7)show conn is

TCP outside:y.y.y.y/55400 (y.y.y.y/55400) inside:172.17.32.50/443 (x.x.x.x/443), flags SaAB, idle 3s, uptime 6s, timeout 30s, bytes 0
TCP outside:y.y.y.y/55375 (y.y.y.y/55375) inside:172.17.32.50/443 (x.x.x.x/443), flags SaAB, idle 13s, uptime 16s, timeout 30s, bytes 0
TCP outside:y.y.y.y/55376 (y.y.y.y/55376) inside:172.17.32.50/443 (x.x.x.x/443), flags SaAB, idle 13s, uptime 16s, timeout 30s, bytes 0

Problem:

1)As you can see from the flag, the firewall is

A -> awaiting inside ACK to SYN

Investigation done:

1)Routing between the firewall and the server is in place

2)the xlate is ok, and checking the "Cisco Firewall´s seequence of Packet Inspection Functions",

it seems to me that after the xlate lookup there is nothing else preventig this request to hit the server.

Am I wrong or should I further check something else on the firewall that might block the connection (ACL )?

Thanks.