Hi Pawan,

Many thanks for prompt reply.

Sorry my mistake server IP is actually 172.16.50.5.

Packet-tracer;

SY3FW1(config)# packet-tracer input outside tcp 172.16.1.115 12345 172.16.1.70$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network webserver
nat (dmz,outside) static 172.16.1.70 service tcp https https
Additional Information:
NAT divert to egress interface dmz
Untranslate 172.16.1.70/443 to 172.16.50.5/443

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_acl in interface outside
access-list outside_acl extended permit tcp any object webserver eq https
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network webserver
nat (dmz,outside) static 172.16.1.70 service tcp https https
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 124, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow

Many thanks.

Can you able to ping 172.16.50.5 from Firewall ?

Yes, logging below;

SY3FW1(config)# ping 172.16.50.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.50.5, timeout is 2 seconds:
ICMP echo request from 172.16.50.1 to 172.16.50.5 ID=64484 seq=21367 len=72
!ICMP echo reply from 172.16.50.5 to 172.16.50.1 ID=64484 seq=21367 len=72
!!ICMP echo request from 172.16.50.1 to 172.16.50.5 ID=64484 seq=21367 len=72
!ICMP echo reply from 172.16.50.5 to 172.16.50.1 ID=64484 seq=21367 len=72
!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
SY3FW1(config)# ICMP echo request from 172.16.50.1 to 172.16.50.5 ID=64484 seq=21367 len=72
ICMP echo reply from 172.16.50.5 to 172.16.50.1 ID=64484 seq=21367 len=72
ICMP echo request from 172.16.50.1 to 172.16.50.5 ID=64484 seq=21367 len=72
ICMP echo reply from 172.16.50.5 to 172.16.50.1 ID=64484 seq=21367 len=72
ICMP echo request from 172.16.50.1 to 172.16.50.5 ID=64484 seq=21367 len=72
ICMP echo reply from 172.16.50.5 to 172.16.50.1 ID=64484 seq=21367 len=72

Could you please add below command in firewall config and test the server access

same-security-traffic permit inter-interface

Implemented, unfortunately still no success.

Logging below;

SY3FW1(config)# %ASA-6-302014: Teardown TCP connection 128 for outside:172.16.1.115/62006 to dmz:172.16.
50.5/443 duration 0:00:30 bytes 0 SYN Timeout
%ASA-6-302014: Teardown TCP connection 129 for outside:172.16.1.115/62005 to dmz:172.16.50.5/443 duratio
n 0:00:30 bytes 0 SYN Timeout
%ASA-7-609002: Teardown local-host outside:172.16.1.115 duration 0:00:30
%ASA-7-609002: Teardown local-host dmz:172.16.50.5 duration 0:00:30
%ASA-7-609001: Built local-host outside:172.16.1.115
%ASA-7-609001: Built local-host dmz:172.16.50.5
%ASA-6-302013: Built inbound TCP connection 130 for outside:172.16.1.115/62048 (172.16.1.115/62048) to d
mz:172.16.50.5/443 (172.16.1.70/443)
%ASA-6-302013: Built inbound TCP connection 131 for outside:172.16.1.115/62047 (172.16.1.115/62047) to d
mz:172.16.50.5/443 (172.16.1.70/443)
%ASA-6-302013: Built inbound TCP connection 132 for outside:172.16.1.115/62005 (172.16.1.115/62005) to d
mz:172.16.50.5/443 (172.16.1.70/443)
%ASA-6-302013: Built inbound TCP connection 133 for outside:172.16.1.115/62006 (172.16.1.115/62006) to d
mz:172.16.50.5/443 (172.16.1.70/443)
%ASA-6-302014: Teardown TCP connection 130 for outside:172.16.1.115/62048 to dmz:172.16.50.5/443 duratio
n 0:00:30 bytes 0 SYN Timeout
%ASA-6-302013: Built inbound TCP connection 134 for outside:172.16.1.115/62063 (172.16.1.115/62063) to d
mz:172.16.50.5/443 (172.16.1.70/443)
%ASA-6-302014: Teardown TCP connection 131 for outside:172.16.1.115/62047 to dmz:172.16.50.5/443 duratio
n 0:00:30 bytes 0 SYN Timeout
%ASA-6-302014: Teardown TCP connection 132 for outside:172.16.1.115/62005 to dmz:172.16.50.5/443 duratio
n 0:00:30 bytes 0 SYN Timeout
%ASA-6-302014: Teardown TCP connection 133 for outside:172.16.1.115/62006 to dmz:172.16.50.5/443 duratio
n 0:00:30 bytes 0 SYN Timeout
%ASA-6-302013: Built inbound TCP connection 135 for outside:172.16.1.115/62048 (172.16.1.115/62048) to d
mz:172.16.50.5/443 (172.16.1.70/443)
%ASA-6-302013: Built inbound TCP connection 136 for outside:172.16.1.115/62047 (172.16.1.115/62047) to d
mz:172.16.50.5/443 (172.16.1.70/443)

SY3FW1(config)# %ASA-6-302014: Teardown TCP connection 134 for outside:172.16.1.115/62063 to dmz:172.16.50.5/443 duration 0:00:30 bytes 0
SYN Timeout
%ASA-6-302014: Teardown TCP connection 135 for outside:172.16.1.115/62048 to dmz:172.16.50.5/443 duration 0:00:30 bytes 0 SYN Timeout
%ASA-6-302014: Teardown TCP connection 136 for outside:172.16.1.115/62047 to dmz:172.16.50.5/443 duration 0:00:30 bytes 0 SYN Timeout
%ASA-7-609002: Teardown local-host outside:172.16.1.115 duration 0:01:05
%ASA-7-609002: Teardown local-host dmz:172.16.50.5 duration 0:01:05
%ASA-7-609001: Built local-host outside:172.16.1.115
%ASA-7-609001: Built local-host dmz:172.16.50.5
%ASA-6-302013: Built inbound TCP connection 137 for outside:172.16.1.115/62063 (172.16.1.115/62063) to dmz:172.16.50.5/443 (172.16.1.70/44
3)
%ASA-6-302013: Built inbound TCP connection 138 for outside:172.16.1.115/62048 (172.16.1.115/62048) to dmz:172.16.50.5/443 (172.16.1.70/44
3)
%ASA-6-302013: Built inbound TCP connection 139 for outside:172.16.1.115/62047 (172.16.1.115/62047) to dmz:172.16.50.5/443 (172.16.1.70/44
3)

SYN Timeout indicate that server is not sending syn ack packet to ASA so it is not FW issue and issue located at server. Kindly check what is the default gateway set for server. Is https (tcp 443) services running on server do the self telnet for port 443 on server and check if it is able do the telnet or not

I am able to browser server when on the same subnet, telnet and open_ssl tested successfully test are below;

pbgmbp01:~ admin$ telnet 172.16.50.5 443

Trying 172.16.50.5...

Connected to 172.16.50.5.

Escape character is '^]'.

Connection closed by foreign host.

pbgmbp01:~ admin$ openssl s_client -connect 172.16.50.5:443

CONNECTED(00000003)

Pawan,

You are a star!!

All the servers in the DMZ have a gateway configured except 172.16.50.5, I must of missed it, too many sleepless nights setting up environment....(plus too many tested)

Web browsing is now working.

How can I now get pinging from outside in to work? Below is a test from my pc on outside;

pbgmbp01:~ admin$ ping 172.16.50.5

PING 172.16.50.5 (172.16.50.5): 56 data bytes

Request timeout for icmp_seq 0

Request timeout for icmp_seq 1

Request timeout for icmp_seq 2

Request timeout for icmp_seq 3

76 bytes from 172.18.92.1: Communication prohibited by filter

Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst

4  5  00 5400 3511   0 0000  3e  01 bbff 172.16.1.115  172.16.50.5

Request timeout for icmp_seq 4

Again many thanks for your very kind assistance!!

Cheers

Hi,

I am glad to here that your issue has been resolved. Ping will not as you have set only the port forwarding for https (port 443) and not done static Ip to IP nat.

nat (dmz,outside) static 172.16.1.70 service tcp https https.

Request you to please mark my answered as correct answer and give the rating.

Thank-you 

Many thanks for code snippet, unfortunately its complaining;

SY3FW1(config)# nat (dmz,outside) static 172.16.1.70 service tcp https https
^
ERROR: % Invalid input detected at '^' marker.

The "^" is under the static syntax

Will this syntax work with ASA 9.1?