Static NAT SYN Timeout - ASA 5505

jkrysinski · ‎08-31-2011

Hi,

I have a 5505 that has been running without any problems until recently. There has not been any changes.

I have a 5505 for a small business that has one web server. The web server has a static NAT entry to an IP address and not an interface. There is an access rule allowing any HTTP traffic to the outside IP of the web server. From the web server I can't access the Internet.

All other computers on the network can access the Internet using a dynamic nat rule that uses the outside interface.

The web server is accessible from a computer behind the firewall.

If I delete the static NAT entry for the web server I can get on the Internet.

I have turned debugging on and see that an outbound connection is built and then 30 seconds later the connection is torn down with the bytes 0 SYN Timeout message.

I am running 8.0(5).

Any help would be greatly appreciated.

James

Maykol Rojas · ‎08-31-2011

Hi,

Mostlikely the IP address that you have for your webserver is not able to reach the internet. Can you connect a host directly to the internet line, assign that IP and see if it works? If it does work, put the static NAT entry on the ASA firewall again.

If you have access to the ISP router or the next hop, do a show arp (If it is a cisco device) and make sure that the mac-address of the IP address of the webserver is the mac-address of the outside interface of the ASA.

If it is not, then you need to engage the ISP so they can make it so.

Mike

jkrysinski · ‎09-01-2011

Hi,

I took your advice. Hooked up a laptop directly and assigned the addressed that the web server was assigned to. The laptop couldn't get onto the Internet either. Powered off the provider's cable modem and everything worked. I completely forgot about the cable modem portion. When in doubt reboot.

Thanks for the suggestion.

Regards,

Jamie

Maykol Rojas · ‎09-01-2011

LOL!

Thats the spirit, I am glad that everything worked

Cheers!

Mike