There is no NAT on ASA except this. Ping to 213.230.22.100 is not working.

We have 213.230.22.1 on ASA outside interface and next hop is 213.230.22.2.

We are using Public IP address inside and outside of ASA.

Moreover, I have applied "permit ip any any" on outside interface.

I used packet tracer command to check the packet from outside. It was successfull.

Could you please let me know how we can check SYN, SYN/ACK and ACK on ASA?

Below is the command output for Show conn.

ASA# sh conn detail

52 in use, 397 most used

Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,

       B - initial SYN from outside, b - TCP state-bypass or nailed,

       C - CTIQBE media, c - cluster centralized,

       D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN,

       G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,

       i - incomplete, J - GTP, j - GTP data, K - GTP t3-response

       k - Skinny media, M - SMTP data, m - SIP media, n - GUP

       O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection,

       q - SQL*Net data, R - outside acknowledged FIN,

       R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,

       s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,

       V - VPN orphan, W - WAAS,

       X - inspected by service module,

       x - per session, Y - director stub flow, y - backup stub flow,

       Z - Scansafe redirection, z - forwarding stub flow

TCP outside: 5.108.26.165/20623 inside: 189.37.122.98/443,

    flags SaAB , idle 0s, uptime 0s, timeout 30s, bytes 0

TCP outside: 87.109.3.170/1564 inside: 189.37.122.98/443,

    flags SaAB , idle 0s, uptime 0s, timeout 30s, bytes 0

TCP outside: 112.200.19.205/50429 inside: 189.37.122.98/443,

    flags SaAB , idle 2s, uptime 2s, timeout 30s, bytes 0

Hi,

I meant that in the original post you tell what the IP addresses used are. Both behind the firewall and on the firewall itself as the NAT IP address.

Then you mention the configuration used. But in the configuration you use completely different IP addresses than you tell us originally. Have you checked that there is no mistakes in the IP addresses used?

The TCP connection flags you refer to tell that the SYN has come from "outside" but no reply to this has come from the "inside"

Confirm that the actual configuration follows this logic

object network

host

nat (inside,outside) static

- Jouni

For More clarification,

server(189.37.122.98)...............inside(10.1.1.1)ASA(212.200.11.100)outside...........internet

Nexthop for the inside 10.1.1.2.

Nexthop for the outside 212.200.11.2

From ASA, IP address 189.37.122.98 is reachable.

Natted IP address

189.37.122.98--------->>212.200.11.100

I am getting hit on permit ip any any applied on the outside interface.

Please let me know if you need more information.

Regards,

Hello Jouni,

I am using the same logic.

i.e.

object network

host

nat (inside,outside) static

I just want to know that, How we can check that ASA inside interface is getting reply/syn-ack packet from server.

OR

Is there any other way to fix this issue.

Regards,

Thanks a lot Jouni.

I will check rest network configuration and will contact with server team.

Regards,

Hi Jouni,

I want to connect another interface of ASA with another ISP.

and need to configure ASA for 10.0.0.0/8 subnet(usersubnet) to use this ISP for internet.

Is this possible to connect the server from ISP1(Using NAT translation) and User to connect ISP2(Interface NAT) using diffrent interface of ASA?

If yes, default route to which ISP?

Regards,

Hi,

I would try to first confirm that you get the Static NAT working before looking at doing something else.

And for the other Dual ISP setup would be better to make a new discussion rather than mix those things with this Static NAT problem.

- Jouni

Thanks a lot it Jouni.

It is working fine. It was the issue on server which you have mentioned above.

Regards,