Hello,
I'm running to a really strange issue with static NAT on my ASA. We are essentially accepting external connections into our reverse proxy via 443. Let me show you two NAT lines that should do the SAME EXACT THING, but for some reason, they don't. To my understanding, they are the SAME rule, one is just inside>outside and the other is outside>inside. Here are the rules:
-
1- nat (LAN-Services,outside-level3) source static production-reverse-proxy01 prod-api-com-public-ip-a no-proxy-arp
-
2- nat (outside-level3,LAN-Services) source static any any destination static prod-api-com-public-ip-a production-reverse-proxy01 no-proxy-arp
Both of these SHOULD be simple static one-to-one NATS, and should work for both inbound and outbound traffic exactly the same. NAT and U-NAT will just be different depending on which rule you use, and which direction the traffic is headed. Here's the issue. Last night around 4pm CST, I removed line 2, and added line 1. To make things more easy, right? I tested external traffic in to the reverse proxy, and I ran a packet-tracer command to simulate the traffic. Sure enough, the new line two was matching great.
Fast forward 3 hours, reverse proxy is not reachable, zero connections on the firewall for the internal IP of the RP. Nothing. I removed line 1, and put line 2 back in, everything starts working.
What am I missing here? These two rules should work in the SAME FASHION. NAT rules work both ways. Why was it working for a couple hours?
Please help.
