Cisco ASAv NAT to ip address TCP SYN timeout

aldrabkin · ‎08-24-2015

Hi !
I'm looking for help with a problem. I have Cisco ASA Virtual Appliance version 9.3.1 with WAN, Internal and DMZ interfaces.
Internal network works well if nat to WAN-interface ip address (for example, nat (Internal,WAN) source dynamic interface (interface ip address 100.100.100.4/28)),
but i want to nat it to another external ip address from the same address pool (for example, nat (Internal,WAN) source dynamic Ext_IP (100.100.100.5/28)),
here the problems begin. I can ping and nslookup from internal network to Internet with no problem, but
i can not open any web pages with any browser (IE, Chrome, FF).
I think it's a TCP session problem, but no NAT problem, because of log messages:
Teardown TCP connection 5388858 for WAN:external_ip/80 to Internal:internal_ip/51756 duration 0:00:30 bytes 0 SYN Timeout
show conn output:
TCP WAN external_ip:80 Internal internal_ip:52012, idle 0:00:02, bytes 0, flags saA
and show xlate output:
TCP PAT from Internal:10.70.80.20/52018 to WAN:213.33.241.5/52018 flags ri idle 0:00:08 timeout 0:00:30
Flag saA means that ASA don't receive incoming TCP-SYN message from remote host, but i don't understand why,
what is the difference between NAT-to-WAN-interface and NAT-to-External_IP
Appreciate for any help!

aldrabkin · ‎08-25-2015

Resolved ! After migration from Pfsense to Cisco ASAv my Router 2921, located before ASA (ISP<->2921<->ASAv) contained old arp entry for Ext_IP, that i want use on ASAv. So problem was resolved by manual delete old arp entry.