Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
739
Views
0
Helpful
5
Replies

CISCO ASA NAT RULE

denilson.mota
Level 1
Level 1

‎01-26-2018 02:43 AM - edited ‎02-21-2020 07:12 AM

Hi folks,

 

I created a NAT rule on my ASA for my MPLS users to access a internal webserver, and the same server have a NAT to outside. until now all good my mpls users access a web-server from mpls IP and have a NAT to webserver IP. Now my internal LAN users can't access the server when I do packet tracer they went to outside interface instead to connect to server directly from the LAN.

 

Any idea why is happen?

 

Thank you

Labels:
0 Helpful
5 Replies 5

Bogdan Nita
VIP Alumni
VIP Alumni

‎01-26-2018 04:02 AM

Can you share the sanitized nat config, interface config and packet tracer output ?

 

0 Helpful

denilson.mota
Level 1
Level 1
In response to Bogdan Nita

‎01-26-2018 04:19 AM

I have no errors from packet tracer. My sites user from MPLS access the server with an mpls IP 1.1.1.1 and i have natted this IP to rel server x.x.x.x. the real server x.x.x.x have a static nat to outside 8.8.8.8

I created a record on DNS server for the mpls IP for remote users in the mpls to access the webserver but now my local user on LAN can't have access to the webserver am not sure because i change the record to the mpls ip.

0 Helpful

denilson.mota
Level 1
Level 1
In response to denilson.mota

‎01-26-2018 05:57 AM

Anyone please help to understood why the webpage with ip 41.76.7.25 not open, i capture this logs:

 1: 15:53:10.128518       10.0.1.46.1183 > 41.76.7.25.80: S 2477633111:2477633111(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
   2: 15:53:10.131020       41.76.7.25.80 > 10.0.1.46.1183: S 809984383:809984383(0) ack 2477633112 win 29040 <mss 1380,nop,nop,sackOK,nop,wscale 7>
   3: 15:53:10.131127       10.0.1.46.1183 > 41.76.7.25.80: . ack 809984384 win 258
   4: 15:53:11.795811       10.0.1.46.1183 > 41.76.7.25.80: P 2477633112:2477633442(330) ack 809984384 win 258
   5: 15:53:11.800175       41.76.7.25.80 > 10.0.1.46.1183: . ack 2477633442 win 236
   6: 15:53:21.799900       10.0.1.46.1183 > 41.76.7.25.80: . 2477633441:2477633442(1) ack 809984384 win 258
   7: 15:53:21.802326       41.76.7.25.80 > 10.0.1.46.1183: . ack 2477633442 win 236 <nop,nop,sack sack 1 {2477633441:2477633442} >
   8: 15:53:26.832537       41.76.7.25.80 > 10.0.1.46.1183: R 809984384:809984384(0) ack 2477633442 win 236
   9: 15:53:26.833193       10.0.1.46.1219 > 41.76.7.25.80: S 2294215953:2294215953(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
  10: 15:53:26.835070       41.76.7.25.80 > 10.0.1.46.1219: S 668053221:668053221(0) ack 2294215954 win 29040 <mss 1380,nop,nop,sackOK,nop,wscale 7>
  11: 15:53:26.835314       10.0.1.46.1219 > 41.76.7.25.80: . ack 668053222 win 258
  12: 15:53:26.835436       10.0.1.46.1219 > 41.76.7.25.80: P 2294215954:2294216284(330) ack 668053222 win 258
  13: 15:53:26.839022       41.76.7.25.80 > 10.0.1.46.1219: . ack 2294216284 win 236
  14: 15:53:36.849382       10.0.1.46.1219 > 41.76.7.25.80: . 2294216283:2294216284(1) ack 668053222 win 258
  15: 15:53:36.851945       41.76.7.25.80 > 10.0.1.46.1219: . ack 2294216284 win 236 <nop,nop,sack sack 1 {2294216283:2294216284} >
  16: 15:53:46.862397       10.0.1.46.1219 > 41.76.7.25.80: . 2294216283:2294216284(1) ack 668053222 win 258
  17: 15:53:47.862702       10.0.1.46.1219 > 41.76.7.25.80: . 2294216283:2294216284(1) ack 668053222 win 258
  18: 15:53:48.866822       10.0.1.46.1219 > 41.76.7.25.80: . 2294216283:2294216284(1) ack 668053222 win 258
  19: 15:53:49.867081       10.0.1.46.1219 > 41.76.7.25.80: . 2294216283:2294216284(1) ack 668053222 win 258
  20: 15:53:50.867569       10.0.1.46.1219 > 41.76.7.25.80: . 2294216283:2294216284(1) ack 668053222 win 258
  21: 15:53:51.867463       10.0.1.46.1219 > 41.76.7.25.80: . 2294216283:2294216284(1) ack 668053222 win 258
  22: 15:53:52.867371       10.0.1.46.1219 > 41.76.7.25.80: . 2294216283:2294216284(1) ack 668053222 win 258
  23: 15:53:53.875092       10.0.1.46.1219 > 41.76.7.25.80: . 2294216283:2294216284(1) ack 668053222 win 258
  24: 15:53:54.874390       10.0.1.46.1219 > 41.76.7.25.80: . 2294216283:2294216284(1) ack 668053222 win 258
  25: 15:53:55.882431       10.0.1.46.1219 > 41.76.7.25.80: . 2294216283:2294216284(1) ack 668053222 win 258
  26: 15:53:56.895476       10.0.1.46.1219 > 41.76.7.25.80: R 2294216284:2294216284(0) ack 668053222 win 0
  27: 15:53:56.896056       10.0.1.46.1254 > 41.76.7.25.80: S 3464581912:3464581912(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
  28: 15:53:56.899977       41.76.7.25.80 > 10.0.1.46.1254: S 886564:886564(0) ack 3464581913 win 29040 <mss 1380,nop,nop,sackOK,nop,wscale 7>
  29: 15:53:56.900084       10.0.1.46.1254 > 41.76.7.25.80: . ack 886565 win 258
  30: 15:53:56.900191       10.0.1.46.1254 > 41.76.7.25.80: P 3464581913:3464582243(330) ack 886565 win 258
  31: 15:53:56.904799       41.76.7.25.80 > 10.0.1.46.1254: . ack 3464582243 win 236
  32: 15:54:06.912123       10.0.1.46.1254 > 41.76.7.25.80: . 3464582242:3464582243(1) ack 886565 win 258
  33: 15:54:06.914808       41.76.7.25.80 > 10.0.1.46.1254: . ack 3464582243 win 236 <nop,nop,sack sack 1 {3464582242:3464582243} >
  34: 15:54:12.112390       41.76.7.25.80 > 10.0.1.46.1254: R 886565:886565(0) ack 3464582243 win 236
  35: 15:54:12.114557       10.0.1.46.1290 > 41.76.7.25.80: S 1925115600:1925115600(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
  36: 15:54:12.116830       41.76.7.25.80 > 10.0.1.46.1290: S 1025074812:1025074812(0) ack 1925115601 win 29040 <mss 1380,nop,nop,sackOK,nop,wscale 7>
  37: 15:54:12.117028       10.0.1.46.1290 > 41.76.7.25.80: . ack 1025074813 win 258
  38: 15:54:12.117303       10.0.1.46.1290 > 41.76.7.25.80: P 1925115601:1925115931(330) ack 1025074813 win 258
  39: 15:54:12.121972       41.76.7.25.80 > 10.0.1.46.1290: . ack 1925115931 win 236
  40: 15:54:22.132561       10.0.1.46.1290 > 41.76.7.25.80: . 1925115930:1925115931(1) ack 1025074813 win 258
  41: 15:54:22.134438       41.76.7.25.80 > 10.0.1.46.1290: . ack 1925115931 win 236 <nop,nop,sack sack 1 {1925115930:1925115931} >
  42: 15:54:27.152412       41.76.7.25.80 > 10.0.1.46.1290: R 1025074813:1025074813(0) ack 1925115931 win 236
  43: 15:54:27.153144       10.0.1.46.1326 > 41.76.7.25.80: S 3911527877:3911527877(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
  44: 15:54:27.156379       41.76.7.25.80 > 10.0.1.46.1326: S 3437459950:3437459950(0) ack 3911527878 win 29040 <mss 1380,nop,nop,sackOK,nop,wscale 7>
  45: 15:54:27.156562       10.0.1.46.1326 > 41.76.7.25.80: . ack 3437459951 win 258
  46: 15:54:27.156653       10.0.1.46.1326 > 41.76.7.25.80: P 3911527878:3911528208(330) ack 3437459951 win 258
  47: 15:54:27.160605       41.76.7.25.80 > 10.0.1.46.1326: . ack 3911528208 win 236
  48: 15:54:37.164816       10.0.1.46.1326 > 41.76.7.25.80: . 3911528207:3911528208(1) ack 3437459951 win 258
  49: 15:54:37.166724       41.76.7.25.80 > 10.0.1.46.1326: . ack 3911528208 win 236 <nop,nop,sack sack 1 {3911528207:3911528208} >
  50: 15:54:42.172430       41.76.7.25.80 > 10.0.1.46.1326: R 3437459951:3437459951(0) ack 3911528208 win 236
  51: 15:54:42.174032       10.0.1.46.1360 > 41.76.7.25.80: S 3967763640:3967763640(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
  52: 15:54:42.177755       41.76.7.25.80 > 10.0.1.46.1360: S 3294256904:3294256904(0) ack 3967763641 win 29040 <mss 1380,nop,nop,sackOK,nop,wscale 7>
  53: 15:54:42.178060       10.0.1.46.1360 > 41.76.7.25.80: . ack 3294256905 win 258
  54: 15:54:42.178320       10.0.1.46.1360 > 41.76.7.25.80: P 3967763641:3967763971(330) ack 3294256905 win 258
  55: 15:54:42.182958       41.76.7.25.80 > 10.0.1.46.1360: . ack 3967763971 win 236

0 Helpful

denilson.mota
Level 1
Level 1
In response to Bogdan Nita

‎01-26-2018 05:04 AM

Hi Bogdan,
I have two records point to my mpls ip 41.76.5.129 and 41.76.5.130. when I open a browser and type on of those records the result is correct:
1: 14:48:26.075923 10.0.1.46.57930 > 41.76.5.129.80: S 4227038142:4227038142(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
2: 14:48:26.076381 41.76.5.129.80 > 10.0.1.46.57930: S 243261994:243261994(0) ack 4227038143 win 14600 <mss 1380,nop,nop,sackOK,nop,wscale 7>
3: 14:48:26.076549 10.0.1.46.57930 > 41.76.5.129.80: . ack 243261995 win 258
4: 14:48:27.274094 10.0.1.46.57930 > 41.76.5.129.80: P 4227038143:4227038560(417) ack 243261995 win 258
5: 14:48:27.274811 41.76.5.129.80 > 10.0.1.46.57930: . ack 4227038560 win 123
6: 14:48:27.275040 41.76.5.129.80 > 10.0.1.46.57930: P 243261995:243262130(135) ack 4227038560 win 123
7: 14:48:27.284226 10.0.1.46.57930 > 41.76.5.129.80: P 4227038560:4227039009(449) ack 243262130 win 258
8: 14:48:27.323957 41.76.5.129.80 > 10.0.1.46.57930: . ack 4227039009 win 131
9: 14:48:27.583938 41.76.5.129.80 > 10.0.1.46.57930: . 243262130:243263510(1380) ack 4227039009 win 131
10: 14:48:27.583969 41.76.5.129.80 > 10.0.1.46.57930: P 243263510:243263830(320) ack 4227039009 win 131
11: 14:48:27.584106 41.76.5.129.80 > 10.0.1.46.57930: P 243263830:243265198(1368) ack 4227039009 win 131
12: 14:48:27.584167 41.76.5.129.80 > 10.0.1.46.57930: P 243265198:243266200(1002) ack 4227039009 win 131
13: 14:48:27.584198 41.76.5.129.80 > 10.0.1.46.57930: P 243266200:243266540(340) ack 4227039009 win 131
14: 14:48:27.584228 10.0.1.46.57930 > 41.76.5.129.80: . ack 243263830 win 258
15: 14:48:27.584305 41.76.5.129.80 > 10.0.1.46.57930: P 243266540:243267560(1020) ack 4227039009 win 131
16: 14:48:27.584335 41.76.5.129.80 > 10.0.1.46.57930: P 243267560:243267926(366) ack 4227039009 win 131
17: 14:48:27.584335 10.0.1.46.57930 > 41.76.5.129.80: . ack 243266200 win 258
18: 14:48:27.584442 10.0.1.46.57930 > 41.76.5.129.80: . ack 243267560 win 253
19: 14:48:27.584503 41.76.5.129.80 > 10.0.1.46.57930: P 243267926:243269294(1368) ack 4227039009 win 131
20: 14:48:27.584564 41.76.5.129.80 > 10.0.1.46.57930: P 243269294:243270192(898) ack 4227039009 win 131
21: 14:48:27.584625 10.0.1.46.57930 > 41.76.5.129.80: . ack 243269294 win 258
22: 14:48:27.637082 10.0.1.46.57930 > 41.76.5.129.80: . ack 243270192 win 255
23: 14:48:33.274750 10.0.1.46.57941 > 41.76.5.130.80: S 2457575680:2457575680(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
24: 14:48:33.275162 41.76.5.130.80 > 10.0.1.46.57941: S 899255305:899255305(0) ack 2457575681 win 14600 <mss 1380,nop,nop,sackOK,nop,wscale 7>
25: 14:48:33.275284 10.0.1.46.57941 > 41.76.5.130.80: . ack 899255306 win 258
26: 14:48:34.278611 10.0.1.46.57941 > 41.76.5.130.80: P 2457575681:2457576094(413) ack 899255306 win 258
27: 14:48:34.279053 41.76.5.130.80 > 10.0.1.46.57941: . ack 2457576094 win 123
28: 14:48:34.279221 41.76.5.130.80 > 10.0.1.46.57941: P 899255306:899255441(135) ack 2457576094 win 123
29: 14:48:34.283142 10.0.1.46.57941 > 41.76.5.130.80: P 2457576094:2457576540(446) ack 899255441 win 258
30: 14:48:34.322996 41.76.5.130.80 > 10.0.1.46.57941: . ack 2457576540 win 131
31: 14:48:34.469091 41.76.5.130.80 > 10.0.1.46.57941: . 899255441:899256821(1380) ack 2457576540 win 131
32: 14:48:34.469152 41.76.5.130.80 > 10.0.1.46.57941: P 899256821:899257255(434) ack 2457576540 win 131
33: 14:48:34.469290 41.76.5.130.80 > 10.0.1.46.57941: P 899257255:899258623(1368) ack 2457576540 win 131
34: 14:48:34.469305 10.0.1.46.57941 > 41.76.5.130.80: . ack 899257255 win 258
35: 14:48:34.469366 41.76.5.130.80 > 10.0.1.46.57941: P 899258623:899259511(888) ack 2457576540 win 131
36: 14:48:34.469412 41.76.5.130.80 > 10.0.1.46.57941: P 899259511:899259965(454) ack 2457576540 win 131
37: 14:48:34.469519 10.0.1.46.57941 > 41.76.5.130.80: . ack 899259511 win 258
38: 14:48:34.469534 41.76.5.130.80 > 10.0.1.46.57941: P 899259965:899261181(1216) ack 2457576540 win 131
39: 14:48:34.469778 10.0.1.46.57941 > 41.76.5.130.80: . ack 899261181 win 258
40: 14:48:37.584625 10.0.1.46.57930 > 41.76.5.129.80: . 4227039008:4227039009(1) ack 243270192 win 255
41: 14:48:37.585083 41.76.5.129.80 > 10.0.1.46.57930: . ack 4227039009 win 131 <nop,nop,sack sack 1 {4227039008:4227039009} >

But when I open a browser and type another record the result is wrong:
1: 14:44:57.907362 10.0.1.46.57515 > 54.169.165.185.80: S 1401022884:1401022884(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
2: 14:44:58.324690 54.169.165.185.80 > 10.0.1.46.57515: S 3680222914:3680222914(0) ack 1401022885 win 2048 <mss 1380,nop,nop,sackOK,nop,wscale 9>
3: 14:44:58.324995 10.0.1.46.57515 > 54.169.165.185.80: . ack 3680222915 win 258
4: 14:44:58.325239 10.0.1.46.57515 > 54.169.165.185.80: P 1401022885:1401023092(207) ack 3680222915 win 258
5: 14:44:58.741828 54.169.165.185.80 > 10.0.1.46.57515: . ack 1401023092 win 7
6: 14:44:58.742057 54.169.165.185.80 > 10.0.1.46.57515: P 3680222915:3680223686(771) ack 1401023092 win 7
7: 14:44:58.742545 10.0.1.46.57515 > 54.169.165.185.80: R 1401023092:1401023092(0) ack 3680223686 win 0
8: 14:44:58.744987 10.0.1.46.57516 > 54.169.165.185.80: S 1672386368:1672386368(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
9: 14:44:59.166022 54.169.165.185.80 > 10.0.1.46.57516: S 4165840822:4165840822(0) ack 1672386369 win 2048 <mss 1380>
10: 14:44:59.166327 10.0.1.46.57516 > 54.169.165.185.80: . ack 4165840823 win 64860
11: 14:44:59.166419 10.0.1.46.57516 > 54.169.165.185.80: P 1672386369:1672386408(39) ack 4165840823 win 64860
12: 14:44:59.584945 54.169.165.185.80 > 10.0.1.46.57516: . ack 1672386408 win 1300
13: 14:44:59.585098 10.0.1.46.57516 > 54.169.165.185.80: P 1672386408:1672386488(80) ack 4165840823 win 64860
14: 14:45:00.003677 54.169.165.185.80 > 10.0.1.46.57516: . ack 1672386488 win 1300
15: 14:45:00.004012 54.169.165.185.80 > 10.0.1.46.57516: P 4165840823:4165841594(771) ack 1672386488 win 1300
16: 14:45:00.004638 10.0.1.46.57516 > 54.169.165.185.80: R 1672386488:1672386488(0) ack 4165841594 win 0
17: 14:45:17.839373 10.0.1.46.57557 > 216.58.223.46.80: S 4289800680:4289800680(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
18: 14:45:17.922727 216.58.223.46.80 > 10.0.1.46.57557: S 2002344414:2002344414(0) ack 4289800681 win 42780 <mss 1380,nop,nop,sackOK,nop,wscale 8>
19: 14:45:17.922910 10.0.1.46.57557 > 216.58.223.46.80: . ack 2002344415 win 258
20: 14:45:17.923215 10.0.1.46.57557 > 216.58.223.46.80: P 4289800681:4289801490(809) ack 2002344415 win 258
21: 14:45:17.973353 216.58.223.46.80 > 10.0.1.46.57557: . ack 4289801490 win 174
22: 14:45:18.130150 216.58.223.46.80 > 10.0.1.46.57557: P 2002344415:2002345152(737) ack 4289801490 win 174
23: 14:45:18.167960 10.0.1.46.57557 > 216.58.223.46.80: . ack 2002345152 win 255
24: 14:45:20.854142 10.0.1.46.57570 > 2.19.153.116.80: S 412012794:412012794(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
25: 14:45:21.027693 2.19.153.116.80 > 10.0.1.46.57570: S 2427918533:2427918533(0) ack 412012795 win 29200 <mss 1380,nop,nop,sackOK,nop,wscale 5>
26: 14:45:21.027906 10.0.1.46.57570 > 2.19.153.116.80: . ack 2427918534 win 258
27: 14:45:26.270860 10.0.1.46.57570 > 2.19.153.116.80: F 412012795:412012795(0) ack 2427918534 win 258
28: 14:45:26.439872 2.19.153.116.80 > 10.0.1.46.57570: F 2427918534:2427918534(0) ack 412012796 win 913
29: 14:45:26.440162 10.0.1.46.57570 > 2.19.153.116.80: . ack 2427918535 win 258
30: 14:45:28.134270 10.0.1.46.57557 > 216.58.223.46.80: . 4289801489:4289801490(1) ack 2002345152 win 255
31: 14:45:28.149848 216.58.223.46.80 > 10.0.1.46.57557: . ack 4289801490 win 174 <nop,nop,sack sack 1 {4289801489:4289801490} >
32: 14:45:38.156959 10.0.1.46.57557 > 216.58.223.46.80: . 4289801489:4289801490(1) ack 2002345152 win 255
33: 14:45:38.172644 216.58.223.46.80 > 10.0.1.46.57557: . ack 4289801490 win 174 <nop,nop,sack sack 1 {4289801489:4289801490} >
34: 14:45:48.181677 10.0.1.46.57557 > 216.58.223.46.80: . 4289801489:4289801490(1) ack 2002345152 win 255
35: 14:45:48.197331 216.58.223.46.80 > 10.0.1.46.57557: . ack 4289801490 win 174 <nop,nop,sack sack 1 {4289801489:4289801490} >
36: 14:45:58.210712 10.0.1.46.57557 > 216.58.223.46.80: . 4289801489:4289801490(1) ack 2002345152 win 255
37: 14:45:58.226413 216.58.223.46.80 > 10.0.1.46.57557: . ack 4289801490 win 174 <nop,nop,sack sack 1 {4289801489:4289801490} >

Don't now why is going to outside. please help!
0 Helpful

denilson.mota
Level 1
Level 1
In response to denilson.mota

‎01-29-2018 12:04 AM

Hi experts,

 

Please any idea?

 

Thank you,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card