07-12-2018 11:39 AM - edited 02-21-2020 07:58 AM
Hello everyone:
I am pretty new and I am becoming crazy with something is suposed to be easy, so thanks in advance.
I´ll try to explain the scenario:
We have a business lan with ip range (10.154.X.X/22 ) and wireless lan(192.168.2.0/24)
This environment is connected to a Cisco ASA firewall 1
This cisco ASA is connected with ip 172.16.1.100 in the outside interface to a dummy switch
this switch is connected to a secondary firewall 2 with outside ip 172.16.1.1
in the inside interface the IP is 190.167.0.1
in this last LAN we have a Webserver with IP 190.16.0.34
-----Business LAN----- FIREWALL1--(172.16.1.100)----------SWITCH-----------(172.16.1.1)--FIREWALL2--(190.167.0.1)--------WEBSERVER(190.167.0.34)
Unfortunately the Webserver was designed in an isolated environement and the IP is public, that is why there is a NAT in Firewall 1 to translate 10.154.X.97 to 190.167.0.34
The Wireless network (192.168.2.0) works fine and is able to see the webserver using the NAT address (10.154.X.97) but unfortunately Wired network is not able to reach the webserver or even ping it. I receive the following traces:
6 Jul 12 2018 20:10:57 |
10.154.X.X 51394 190.167.0.34 443 Built inbound TCP connection 219863 for outside:10.154.X.X/51394 (10.154.X.X/51394) to PlantLan:190.167.0.34/443 (190.167.0.34/443) |
6 Jul 12 2018 20:11:06 |
10.154.X.X 51392 190.167.0.34 443 Teardown TCP connection 219862 for outside:10.154.X.X/51392 to PlantLan:190.167.0.34/443 duration 0:00:30 bytes 0 SYN Timeout |
I am using ASDM so if you want me to write any command in CLI just tell me what to write.
THANKS SO MUCH IN ADVACE
07-12-2018 01:26 PM
I would recommend using packet-tracers and captures to figure out where the problem is. Run the following packet-tracer commands on both Firewalls:
packet-tracer input PlantLan tcp 10.154.x.x 51394 190.167.0.34 443 detailed
Also apply captures similar to this on inside and outside interface when you are testing with actual traffic:
capture capi interface PlantLan match ip host 10.154.x.x host 190.167.0.34
capture capo interface outside match ip host 10.154.x.x host 190.167.0.34 ( change the source for Firewall2 to NAT ip address)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide