Inbound NAT question

roger perkin · ‎12-05-2012

I have a network with 2 ASA's with different blocks of IP's on each.

I have configured an inbound NAT to a web server on ASA2

The inbound NAT works fine, and when I hit the external address I get a hit on the access list and I see the connection made inbound

%ASA-6-302013: Built inbound TCP connection 11189017 for ASA_Public_IP:*.*.*.*/50038 (*.*.*.*/50038) to Web-Server:192.168.2.19/80 (*.*.*.*/80)

However that is it, it times out and dies

My question is do I have to allow that server back out? I am running 8.4(2)

Or is the server taking the default route of the network back out which is out of ASA1?

I couldnt' see anything in the logs on ASA1 to suggest this.

If anyone could advise on the routing behaviour of this setup, will the server just try to route back out to the remote address via the default and if so can I make the server go back out of ASA2?

I was looking into policy routing to change the default for that server to be ASA2

Thanks

Roger

Julio Carvajal · ‎12-05-2012

My question is do I have to allow that server back out? I am running 8.4(2)

No, you do not need that,

Or is the server taking the default route of the network back out which is out of ASA1?

Should not be the case but just to make sure lets do a capture

This on the inside interface of ASA2

cap capin interface inside match tcp host inside_server host Outside_client

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC