Solved: null

ja712565716 · ‎03-10-2020

null

Cristian Matei · ‎03-12-2020

Hi,

The problem seems to be an inconsistency between your outside interface network mask: "ip address 209.165.200.225 255.255.255.252" and the IP address you're NAT'ing into: "209.165.200.228". If the ISP, your next-hop has the IP address of "209.165.200.226 255.255.255.252" , and the address you're NAT'ing into is into another /30 subnet, are you sure traffic from the Internet which is destined to 209.165.200.228 is even routed towards your ASA?

Regards,

Cristian Matei.

View solution in original post

Francesco Molino · ‎03-10-2020

Hi

Can you run the packet tracer command and share the output please:
packet-tracer input outside tcp 1.1.1.1 12345 209.165.200.228 80 detail

When someone tries to access your public IP from outside, do you see any traffic coming in in your logs?

If this acl OUTSIDE-to-DMZ applied to your outside interface?
I would avoid 2 default route. I would put a more specific route for inside zone. As you have ospf, you won't require the inside route because you should learn all your prefixes. Even for the outside, don't you learn the default route from ospf?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Cristian Matei · ‎03-12-2020

Hi,

The problem seems to be an inconsistency between your outside interface network mask: "ip address 209.165.200.225 255.255.255.252" and the IP address you're NAT'ing into: "209.165.200.228". If the ISP, your next-hop has the IP address of "209.165.200.226 255.255.255.252" , and the address you're NAT'ing into is into another /30 subnet, are you sure traffic from the Internet which is destined to 209.165.200.228 is even routed towards your ASA?

Regards,

Cristian Matei.