Is Traffic Flowing From Outside to Server in DMZ - NAT?

SteveSmo1 · ‎11-26-2014

Hi- Cisco ASA 5510 v. 9.1(1) , ASDM v. 7.1(1)52

I'm having the heck of a time troubleshooting connectivity to a web server that's sitting in my DMZ.

I can access this web server from another server in the DMZ, but I cannot from Outside.

Packet tracer shows that traffic is flowing to the public IP on the Outside (see below) and that the IP is being translated using NAT.

But I get NO hits on the web server.

How can I tell if the packets are, indeed, reaching the web server?

Thanx

SteveSmo

"Never, ever doubt what nobody is sure about." -Willy Wonka

Result of the command: "packet-tracer input Outside tcp 192.168.0.123 12345 67.136.135.233 443"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.16.0 255.255.255.0 DMZ

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network Server_ReverseProxy
nat (any,any) static lyncdiscover.oslccp.org
Additional Information:
NAT divert to egress interface DMZ
Untranslate 67.136.135.233/443 to [External IP of ReverseProxy]/443

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Outside_access_in in interface Outside
access-list Outside_access_in extended permit tcp any object Server_ReverseProxy object-group DM_INLINE_TCP_5 log debugging
object-group service DM_INLINE_TCP_5 tcp
port-object eq www
port-object eq https
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network Server_ReverseProxy
nat (any,any) static lyncdiscover.oslccp.org
Additional Information:

Phase: 8
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 68001038, packet dispatched to next module

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow

Karsten Iwen · ‎11-26-2014

Based on your packet-tracer, it should work. Next tests:

Does your DMZ-server have the right default-gateway? It has to be the DMZ-IP of the ASA.
do a "ping tcp IP-OF-PROXY 443". Do you get "!!!!!" as the result? If you see "RRRRR", then the service is not running.
Trigger a connection from the internet and issue a "show conn | i IP-OF-PROXY". What are the flags that you are seeing? If it includes "saA", then the traffic reaches the ASA, is sent to the proxy, but nothing comes back.

SteveSmo1 · ‎11-26-2014

1. Yes, gateway is DMZ-IP of ASA

2. ping tcp [IP of rProxy: 443] returns this:

Type escape sequence to abort.
No source specified. Pinging from identity interface.
Sending 5 TCP SYN requests to [External IP of rProxy] port 443
from [DMZ-IP of ASA], timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

3. "show conn | i [IP of rProxy]" returns this:

70.210.157.141:4794 DMZ [IP of rProxy]:443, idle 0:00:00, bytes 0, flags SaAB

So this means that the rProxy is not replying? As I said earlier, I can connect to the server from another server in the DMZ...

SteveSmo1 · ‎12-02-2014

Embarrassing moment: Turns out that interface for external NIC on VM for server was incorrect. Changed to correct interface (obviously) resolved issue. Thanks to all for your replies.