cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

350
Views
0
Helpful
2
Replies
chris.mcdermott
Beginner

NAT Will Not Work

I have the following configured on an ASA running 9.1(2)

object network Webserver

Host  10.10.10.1

nat (DMZ,outside) static 208.2.3.4

Access-list knock_knock extended permit tcp any object Webserver eq http

Access-group knock_knock in interface outside

BUT.. I still cannot get to the the webserver from the outside(internet). so I captured some logs and found that the NAT and access list mentioned above are actually working (please see the attached screen capture)

DMZ Trouble.JPG

The NAT is definitely working since my independent test from the outside registers as "hits" each time I try to get to the HTTP server. The logs tell me that it Builds and Tears down the attempted connection instantaneously. Since I know that the NAT and the access list on the outside interface are both working components, troubleshooting them would be a waste of time. The Server itself can access the internet(outside) without any issues from behind the DMZ where it lives. I tested it's ability to do so by logging on and browsing the internet (yahoo, CNN etc..) so the basic principles of the server are fine (IP, Gateway Subnet connectivity etc..) 


What would you do at this point?


Thanks in advance


2 REPLIES 2
vishaw jasrotia
Beginner

Hey ,

Please check the output of the following command from the firewall.

#packet-tracer input dmz tcp http http

Thanks

Marius Gunnerud
VIP Advisor

If the packet tracer shows as allowed, I would do a packet capture.  This will give us a good idea if the packets is entering and leaving the outside interface, as well as entering and leaving the inside interface.  Please post the results here for further assistance.

here is a link on how to perform a packet capture:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110117-asa-capture-asdm-config.html

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
Create
Recognize Your Peers
Content for Community-Ad