02-19-2014 07:42 PM - edited 03-11-2019 08:47 PM
Hello, I have a very simple issue need your kindly helps! I need to access from outside a web server (192.18.81.13) through ASA5505, and I used static nat to map it to the intreface outside IP,198.18.81.232. Everything seemed OK but I failed to access it through http://192.18.81.232, from the Real-time Log Viewer I found no problems. Attached please find my config. Any suggestions? Thank you!
Solved! Go to Solution.
02-20-2014 12:39 AM
Ok,
Well according to the logs it seems to me that the clients have correct network configurations as they forward the connection to the ASA. The ASA also seems to have a correct configuration as it builds the connection through the ASA but the connection never fully forms between client and server.
I would suggest checking the network settings of the server to confirm that it has its default gateway set.
If that is fine then I would confim that the service itself is running on the server and no software firewall is blocking the connection attempts. You could naturally test the connectivity with some other TCP based service through the ASA though you would have to configure the same type of Static PAT (Port Forward) and make the ACL rule addition.
- Jouni
02-19-2014 11:25 PM
Hi,
So are you saying that there is only the connected network behind "outside" interface? I can only see a default route that is pointing towards "inside"? Or is there an error on the default route as in a typical setup you would have it towards "outside" or is this ASA somewhere else than the edge of the internal/external network?
As you can see from the logs the connection is allowed through the ASA but it ends with SYN Timeout. It either means the server does not reply or the server (and/or devices between it and the ASA) dont have a route towards the "outside" network of the ASA pointing towards ASA so the return traffic for the connection doesnt go where it needs to go.
- Jouni
02-20-2014 12:30 AM
My host is connected directly to ASA, and Web server is through a switch. The actual topology is as below,
02-20-2014 12:39 AM
Ok,
Well according to the logs it seems to me that the clients have correct network configurations as they forward the connection to the ASA. The ASA also seems to have a correct configuration as it builds the connection through the ASA but the connection never fully forms between client and server.
I would suggest checking the network settings of the server to confirm that it has its default gateway set.
If that is fine then I would confim that the service itself is running on the server and no software firewall is blocking the connection attempts. You could naturally test the connectivity with some other TCP based service through the ASA though you would have to configure the same type of Static PAT (Port Forward) and make the ACL rule addition.
- Jouni
02-20-2014 12:56 AM
Checking the gateway sounds very reasonable, I will check next week, no time in this week. Thank you!
02-24-2014 05:16 PM
It was really the gateway to blame. I set the server's default gateway to firewall's inside IP then all was OK. To my knowledage there is no need to set gateway since they are connected by a switch, it is strange to me, anyway, it was OK now. Thank you very much!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: