cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
515
Views
0
Helpful
11
Replies

PAT Problem

Pete89
Level 2
Level 2

Hello,

I am starting over with a drawing.

http://www.flickr.com/photos/31154535@N07/3929040630/sizes/o/

The user out in the cloud is a client who wants to connect to https://www.help.megacorp.net:9443

Then I want the ASA do PAT on 9443 to 443 and forward that traffic to the host in the LAN (10.100.37.21)

help.megacorp resolves to 217.142.187.114

The logs on the router and ASA5520 show nothing. I must have something basically wrong.

If you need more detail from the config let me know.

Thanks a million,

Pedro

11 Replies 11

andrew.prince
Level 10
Level 10

Pedro,

The ASA will not act as an SSL proxy.

HTH>

SO what I want to do cant be done??

I finally got an error message on the FW:

No translation group found for tcp src Outside:76.195.192.74/2723 dst WebVLAN:10.100.37.21/443

Translation error gone....return traffic get to ASA now. But now I am getting:

Deny TCP reverse path check from 76.195.192.74 to 172.31.1.4 on interface outside_edgert_vlan10

Totally lost now....

Post your current config for review, remove sensitive information.

Hello Andrew,

This is the lastest drawing:

http://www.flickr.com/photos/31154535@N07/3931585864/sizes/o/

The traffic get translated fine at the ASA5520 coming in and gets to the 10.100.37.21 host. The return traffic gets to the ASA and thats when I see that error.

Just for fun I removed the statement:

ip verify reverse-path interface outside

And no change in behavior, however the ASA generates no errors.

Change the config using default ssl ports 443 all the way thru - without changing them.

OK but we use help.megacorp.com for SSL VPN users to connect to our offices ...

wont there be a problem??

I do not understand - your original posting was for help.megacorp.net ?

If you cannot change the acl/static nat on the asa - then then only thing I can suggest to you, is you must debug and troubleshoot.

And ehcek the forums for simular postings.

Sorry that was a typo ... I mean to say help.megacorp.net ....

I will keep banging my head on this and if I discover what the problem is I will let everyone know ..

Thanks for your help. I appreciate it very much.

Pedro

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: