Unable to pass traffic to NAT object

misterDub · ‎02-16-2021

I'm having some difficulty accessing a web server behind a Cisco ASA 5516-X (version 9.8(4)22) using a NAT object. I had this working previously, but I changed the configuration a bit: the Gi1/4 port used to be a L3 port, which I changed to L2 and associated with newly created bridge group (BVI1). The ASA is in routed mode.

According to Packet Tracer, packet flow should work successfully, but I'm unable to ping or browse to this server. This issue has me stumped, so I'm hoping I'm just missing something minor. I can revert back to an L3 port on the Gi1/4 port, but I'd like to get this configuration working if possible.

I've included the relevant parts of the config below. I can provide more information upon request. Thank you!

--

interface GigabitEthernet1/4

description DMZ Web

bridge-group 1

nameif dmz1

security-level 20

!

interface GigabitEthernet1/5

bridge-group 1

nameif dmz2

security-level 20

!

interface BVI1

description DMZ

nameif dmz

security-level 20

ip address 172.16.59.1 255.255.255.0

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network dmz-net

subnet 172.16.59.0 255.255.255.0

object network hq-sbc

host 172.16.59.5

description Session Border Controller

object network hq-web-server

host 172.16.59.12

description DMZ Web Server (formula)

object network dmz-web-server

host 172.16.59.12

description DMZ Web Server

object-group network DM_INLINE_NETWORK_1

network-object host 172.16.59.12

network-object host PUBLIC_IP_1_REDACTED

object-group network DM_INLINE_NETWORK_7

network-object host PUBLIC_IP_1_REDACTED

network-object host PUBLIC_IP_2_REDACTED

network-object host PUBLIC_IP_3_REDACTED

object network hq-web-server

nat (outside,dmz1) dynamic dmz-web-server interface dns

access-list dmz_access_in extended permit ip object dmz-net object hq-monitoring-server

access-list dmz_access_in extended deny ip object dmz-net object hq-supernet

access-list dmz_access_in extended permit ip object dmz-net any

access-list dmz1_access_in extended permit ip object dmz-net any

access-list outside_access_in extended permit ip any object-group DM_INLINE_NETWORK_1

access-list outside_access_in extended permit ip any object hq-sbc

access-list outside_access_in extended permit ip any object-group DM_INLINE_NETWORK_7

access-list outside_access_in extended permit ip any object dmz-net