- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2020 04:52 PM - edited 03-25-2020 06:52 PM
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-12-2020 01:33 AM
Hi,
The problem seems to be an inconsistency between your outside interface network mask: "ip address 209.165.200.225 255.255.255.252" and the IP address you're NAT'ing into: "209.165.200.228". If the ISP, your next-hop has the IP address of "209.165.200.226 255.255.255.252" , and the address you're NAT'ing into is into another /30 subnet, are you sure traffic from the Internet which is destined to 209.165.200.228 is even routed towards your ASA?
Regards,
Cristian Matei.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2020 08:29 PM
Can you run the packet tracer command and share the output please:
packet-tracer input outside tcp 1.1.1.1 12345 209.165.200.228 80 detail
When someone tries to access your public IP from outside, do you see any traffic coming in in your logs?
If this acl OUTSIDE-to-DMZ applied to your outside interface?
I would avoid 2 default route. I would put a more specific route for inside zone. As you have ospf, you won't require the inside route because you should learn all your prefixes. Even for the outside, don't you learn the default route from ospf?
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-12-2020 01:33 AM
Hi,
The problem seems to be an inconsistency between your outside interface network mask: "ip address 209.165.200.225 255.255.255.252" and the IP address you're NAT'ing into: "209.165.200.228". If the ISP, your next-hop has the IP address of "209.165.200.226 255.255.255.252" , and the address you're NAT'ing into is into another /30 subnet, are you sure traffic from the Internet which is destined to 209.165.200.228 is even routed towards your ASA?
Regards,
Cristian Matei.
