03-22-2018 04:39 AM - edited 02-21-2020 07:32 AM
Hi All,
I have a kind of basic question.
1)Firewall model -> Cisco Adaptive Security Appliance Software Version 8.2(5)
2)nat-control enabled
3)Inbound connection (initiated from the outside direct to inside)
3)regular static NAT configured
static (inside,outside) x.x.x.x 172.17.32.50 netmask 255.255.255.255
ASA-5540# show xlate detail | include 172.17.32.50
NAT from inside:172.17.32.50 to outside:x.x.x.x flags s
4)inside interface sec-level -> 100
5)outside interface sec-level -> 0
6)ACL applied to outside interface
access-group outside-in in interface outside
6)pubblic IP which start the connection is: y.y.y.y
7)show conn is
TCP outside:y.y.y.y/55400 (y.y.y.y/55400) inside:172.17.32.50/443 (x.x.x.x/443), flags SaAB, idle 3s, uptime 6s, timeout 30s, bytes 0
TCP outside:y.y.y.y/55375 (y.y.y.y/55375) inside:172.17.32.50/443 (x.x.x.x/443), flags SaAB, idle 13s, uptime 16s, timeout 30s, bytes 0
TCP outside:y.y.y.y/55376 (y.y.y.y/55376) inside:172.17.32.50/443 (x.x.x.x/443), flags SaAB, idle 13s, uptime 16s, timeout 30s, bytes 0
Problem:
1)As you can see from the flag, the firewall is
A -> awaiting inside ACK to SYN
Investigation done:
1)Routing between the firewall and the server is in place
2)the xlate is ok, and checking the "Cisco Firewall´s seequence of Packet Inspection Functions",
it seems to me that after the xlate lookup there is nothing else preventig this request to hit the server.
Am I wrong or should I further check something else on the firewall that might block the connection (ACL )?
Thanks.
Solved! Go to Solution.
03-23-2018 02:41 AM
03-23-2018 02:41 AM
03-23-2018 04:11 AM
03-23-2018 04:19 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide