cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1219
Views
15
Helpful
8
Replies

NAT issue on ASA 5525 8.6(1)

Hidayat Khan
Level 1
Level 1

Hello Experts,

                    We have recently installed new 5525 8.6(1) ASA's. Our setup is like; where wer are using Public IP for web server, which needs to be mapped/natted to internet VIP address and that VIP is configured on F5 LB. Setup is below; This Public IP is the webserver IP. The firewall get hits, but web server page is not being displayes. In the logs FW built tcp but then tear down the session, syslog id (302014) 77 TCP Reset-I

                          |INTERNET|

                                 |

                                 |

                         195.201.55.X

                            [ ASA ]

                          Natting to

                         10.100.100.151

                              [ F5 ]

                                |

                              /  \

                            /       \

Real Servers---> .150   .151

NAT Config is;

nat (DMZ1,OUTSIDE) source static 10.100.100.151  195.201.55.X

Your help will be appreciated if you can provide the right nat config;

Regards

1 Accepted Solution

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

The NAT configuration should be fine although I would personally configure a Static NAT differently.

object network STATIC

host 10.100.100.151

nat (DMZ1,OUTSIDE) static 195.201.55.xx

The Teardown message already tells us that a host outside your network was able to form a TCP connection with the server but the server sent a TCP Reset for the connection for some reason.

If you want to confirm firewall rules still then you can use the "packet-tracer" command

packet-tracer input OUTSIDE tcp 195.201.55.xx 80

- Jouni

View solution in original post

8 Replies 8

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

The NAT configuration should be fine although I would personally configure a Static NAT differently.

object network STATIC

host 10.100.100.151

nat (DMZ1,OUTSIDE) static 195.201.55.xx

The Teardown message already tells us that a host outside your network was able to form a TCP connection with the server but the server sent a TCP Reset for the connection for some reason.

If you want to confirm firewall rules still then you can use the "packet-tracer" command

packet-tracer input OUTSIDE tcp 195.201.55.xx 80

- Jouni

Thanks Jouni, I will try and let you know shortly.

Regards

Hi Hidayat,

If the packet tracer shows that the traffic is allowed then you may also try to do a tcp ping from the ASA to verify whether the port is open:

ping tcp 10.100.100.151 80

Also verify whether the gateway is configured correctly or not.

-Akshay


Hi Akshay,

               ICMP is not working as you said, it may not be allowed on F5 LB to allow ICMP in either direction, but natting is still not working. Yes the Gateway is the IP address 10.100.100.1 DMZ vlan, which is configured on the F5 LB. The server can ping its default gateway.

Also on the FW I put static route pointing to the Server Subnet via F5 LB interface. Both F5 and ASA are connected point to point and can ping each other!

Hi,

The "packet-tracer" will tell if the rules on the firewall are working.

If that test doesnt show anything wrong its likely that the problems is somewhere else than the firewall.

The original log message that you mentioned to me atleast says that the server was already reached but the server resetted the TCP connection.

If you are not sure about the firewall configuration you can share them here so we can go through them (can mask public IP addresses ofcourse)

- Jouni

Hi Hidayat,

Did you perform a TCP PING?

ping tcp 10.100.100.151 80

tcp ping is actually a TCP SYN packet sent from the firewall on the mentioned port. If this is not working then you have to verify why the server is not responding to this.

Capture at the server would help you identify if the packets are reaching the server.

Regards,

Akshay

Hidayat Khan
Level 1
Level 1

Hi Jouni,

            The packet tracer looks good, all green tick boxes. I need to install wireshark on the Servers to makesure they are getting request from the Firewall.

The funny thing is, on the firewall if I change the NAT say, from public IP translate to the real IP of the servers, then it works perfectly. But as soon as I change the NAT rule i.e Public IP translate to the VIP address, then it doesn't bring up the webpage. though I can ping the VIP address from the firewall, and the VIP address is the same subnet as the FW and F5 boxes with /24 mask! e.g  FW int ip is 10.100.100.1 and F5 connecting to FW is 10.100.100.3  and the VIP is

10.100.100.151/24.

Akshy,

         On the FW I did the TCP Ping, but It doesn't work. Like I said, I will install wireshark on the server and then will see if it works.

Many thanks guys for your quick response and help. I will let you know the result.

Regards

Hidayat Khan
Level 1
Level 1

HI Guys,

            I have fixed the natting issue in both direction. Config below;

nat (DMZ1,OUTSIDE) source static 10.100.100.151   195.201.55.x

but I did not configure it under object group, though I did try earlier, but it wasn't working. Now fixed it.

Thanks to Jouni and Akshy. I really appreciated.

Regards

Review Cisco Networking for a $25 gift card