11-10-2014 02:42 AM - edited 03-11-2019 10:03 PM
hi all,
i created a static NAT (and inbound ACL to allow only HTTPS) for one of our riverbed to be accessed from the internet.
pings are ok but can't seem to get the public IP accessible.
packet tracer passed on both direction.
any ideas?
inside: 172.27.14.250
outside: 202.x.x.180
RIVERBED (172.27.14.250) <> ROUTER (172.27.14.249) <> 5520 <> INTERNET
ROUTER#ping 8.8.8.8 so 172.27.14.249
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 172.27.14.249
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/68/80 ms
5520# ping 172.27.14.250
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.27.14.250, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
access-list OUTSIDE line 10 extended permit tcp any host 172.27.14.250 eq https (hitcnt=81) 0x0f9fbd35
5520# packet-tracer input outside tcp 1.1.1.1 443 202.x.x.180 443
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network RVB
nat (inside,outside) static 202.x.x.180 dns
Additional Information:
NAT divert to egress interface inside
Untranslate 202.x.x.180/443 to 172.27.14.250/443
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE in interface outside
access-list OUTSIDE extended permit tcp any host 172.27.14.250 eq https
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network RVB
nat (inside,outside) static 202.x.x.180 dns
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 686320857, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
11-10-2014 02:54 AM
Hi, can you paste the nat configuration + object definition ?
11-10-2014 03:21 AM
Hi,
Apologies I forgot. It's just a simple NAT rule:
object network RVB
host 172.27.14.250
nat (inside,outside) static 202.x.x.180 dns
11-10-2014 03:47 AM
The config looks fine and the packet-tracer shows that the NAT is working and the packet gets through. The next thing to test is if the riverbead already listens to tcp/443:
asa# ping tcp 172.27.14.250 443
And how did you test it?
When using a browser from the outside, issue the following command directly after doing the test:
asa# sh conn | inc 172.27.14.250
There you see in which state the connection is, the meaning of the flags are shown with
asa# show conn detail
11-10-2014 05:59 AM
hi karsten,
ping tcp isn't supported on this image. it seems i'm not getting SYN ACK from the riverbed device (correct me if i'm wrong).
i also saw earlier in ASDM real-time log viewer that SYN timed out.
i also checked earlier the static route entries in riverbed seem to be correct (see attached). i'm tempted reload the riverbed but i need to check/cover other things first. any idea?
appreciate your help. i've been troubleshooting and scratching my head on this one.
5520# ping tcp ?
ERROR: % Unrecognized command
5520# sh ve
Cisco Adaptive Security Appliance Software Version 8.3(2)34
5520# sh conn | i 172.27.14.250
TCP outside 222.165.x.2:1713 inside 172.27.14.250:443, idle 0:00:03, bytes 0, flags SaAB << USED INTERNET AT HOME
5520# sh conn det | i 172.27.14.250
TCP outside:222.165.x.2/1713 inside:172.27.14.250/443,
11-10-2014 06:09 AM
The "show conn" also shows (same as your log) that nothing comes back after the ASA forwards the packet to the Riverbed. Knowing that, you should continue troubleshooting there.
For your used ASA-version, upgrading to the newest v8.4 is highly recommended.
11-10-2014 06:56 AM
Hi Karsten,
To me routing wise is fine. Is there a way to configure or trick the NAT policy?
11-10-2014 07:01 AM
Not sure what you want to "trick" on the ASA as the NAT is fine there. Now you must look at the Riverbed:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide