04-09-2013 04:26 AM - edited 03-11-2019 06:25 PM
Hello Experts,
We have recently installed new 5525 8.6(1) ASA's. Our setup is like; where wer are using Public IP for web server, which needs to be mapped/natted to internet VIP address and that VIP is configured on F5 LB. Setup is below; This Public IP is the webserver IP. The firewall get hits, but web server page is not being displayes. In the logs FW built tcp but then tear down the session, syslog id (302014) 77 TCP Reset-I
|INTERNET|
|
|
195.201.55.X
[ ASA ]
Natting to
10.100.100.151
[ F5 ]
|
/ \
/ \
Real Servers---> .150 .151
NAT Config is;
nat (DMZ1,OUTSIDE) source static 10.100.100.151 195.201.55.X
Your help will be appreciated if you can provide the right nat config;
Regards
Solved! Go to Solution.
04-09-2013 04:33 AM
Hi,
The NAT configuration should be fine although I would personally configure a Static NAT differently.
object network STATIC
host 10.100.100.151
nat (DMZ1,OUTSIDE) static 195.201.55.xx
The Teardown message already tells us that a host outside your network was able to form a TCP connection with the server but the server sent a TCP Reset for the connection for some reason.
If you want to confirm firewall rules still then you can use the "packet-tracer" command
packet-tracer input OUTSIDE tcp
- Jouni
04-09-2013 04:33 AM
Hi,
The NAT configuration should be fine although I would personally configure a Static NAT differently.
object network STATIC
host 10.100.100.151
nat (DMZ1,OUTSIDE) static 195.201.55.xx
The Teardown message already tells us that a host outside your network was able to form a TCP connection with the server but the server sent a TCP Reset for the connection for some reason.
If you want to confirm firewall rules still then you can use the "packet-tracer" command
packet-tracer input OUTSIDE tcp
- Jouni
04-09-2013 04:52 AM
Thanks Jouni, I will try and let you know shortly.
Regards
04-09-2013 05:20 AM
Hi Hidayat,
If the packet tracer shows that the traffic is allowed then you may also try to do a tcp ping from the ASA to verify whether the port is open:
ping tcp 10.100.100.151 80
Also verify whether the gateway is configured correctly or not.
-Akshay
04-09-2013 08:00 AM
Hi Akshay,
ICMP is not working as you said, it may not be allowed on F5 LB to allow ICMP in either direction, but natting is still not working. Yes the Gateway is the IP address 10.100.100.1 DMZ vlan, which is configured on the F5 LB. The server can ping its default gateway.
Also on the FW I put static route pointing to the Server Subnet via F5 LB interface. Both F5 and ASA are connected point to point and can ping each other!
04-09-2013 08:06 AM
Hi,
The "packet-tracer" will tell if the rules on the firewall are working.
If that test doesnt show anything wrong its likely that the problems is somewhere else than the firewall.
The original log message that you mentioned to me atleast says that the server was already reached but the server resetted the TCP connection.
If you are not sure about the firewall configuration you can share them here so we can go through them (can mask public IP addresses ofcourse)
- Jouni
04-09-2013 08:09 AM
Hi Hidayat,
Did you perform a TCP PING?
ping tcp 10.100.100.151 80
tcp ping is actually a TCP SYN packet sent from the firewall on the mentioned port. If this is not working then you have to verify why the server is not responding to this.
Capture at the server would help you identify if the packets are reaching the server.
Regards,
Akshay
04-09-2013 10:01 AM
Hi Jouni,
The packet tracer looks good, all green tick boxes. I need to install wireshark on the Servers to makesure they are getting request from the Firewall.
The funny thing is, on the firewall if I change the NAT say, from public IP translate to the real IP of the servers, then it works perfectly. But as soon as I change the NAT rule i.e Public IP translate to the VIP address, then it doesn't bring up the webpage. though I can ping the VIP address from the firewall, and the VIP address is the same subnet as the FW and F5 boxes with /24 mask! e.g FW int ip is 10.100.100.1 and F5 connecting to FW is 10.100.100.3 and the VIP is
10.100.100.151/24.
Akshy,
On the FW I did the TCP Ping, but It doesn't work. Like I said, I will install wireshark on the server and then will see if it works.
Many thanks guys for your quick response and help. I will let you know the result.
Regards
04-11-2013 03:58 AM
HI Guys,
I have fixed the natting issue in both direction. Config below;
nat (DMZ1,OUTSIDE) source static 10.100.100.151 195.201.55.x
but I did not configure it under object group, though I did try earlier, but it wasn't working. Now fixed it.
Thanks to Jouni and Akshy. I really appreciated.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide