Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
658
Views
0
Helpful
2
Replies

NAT Will Not Work

chris.mcdermott
Level 1
Level 1

‎02-20-2014 06:06 PM - edited ‎03-11-2019 08:48 PM

I have the following configured on an ASA running 9.1(2)

object network Webserver

Host  10.10.10.1

nat (DMZ,outside) static 208.2.3.4

Access-list knock_knock extended permit tcp any object Webserver eq http

Access-group knock_knock in interface outside

BUT.. I still cannot get to the the webserver from the outside(internet). so I captured some logs and found that the NAT and access list mentioned above are actually working (please see the attached screen capture)

DMZ Trouble.JPG

The NAT is definitely working since my independent test from the outside registers as "hits" each time I try to get to the HTTP server. The logs tell me that it Builds and Tears down the attempted connection instantaneously. Since I know that the NAT and the access list on the outside interface are both working components, troubleshooting them would be a waste of time. The Server itself can access the internet(outside) without any issues from behind the DMZ where it lives. I tested it's ability to do so by logging on and browsing the internet (yahoo, CNN etc..) so the basic principles of the server are fine (IP, Gateway Subnet connectivity etc..) 


What would you do at this point?


Thanks in advance


Labels:
0 Helpful
2 Replies 2

vishaw jasrotia
Level 1
Level 1

‎02-20-2014 08:51 PM

Hey ,

Please check the output of the following command from the firewall.

#packet-tracer input dmz tcp http http

Thanks

0 Helpful

Marius Gunnerud
VIP
VIP

‎02-21-2014 12:19 AM

If the packet tracer shows as allowed, I would do a packet capture.  This will give us a good idea if the packets is entering and leaving the outside interface, as well as entering and leaving the inside interface.  Please post the results here for further assistance.

here is a link on how to perform a packet capture:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110117-asa-capture-asdm-config.html

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card