09-17-2009 06:02 AM - edited 03-09-2019 10:34 PM
Hello,
I am starting over with a drawing.
http://www.flickr.com/photos/31154535@N07/3929040630/sizes/o/
The user out in the cloud is a client who wants to connect to https://www.help.megacorp.net:9443
Then I want the ASA do PAT on 9443 to 443 and forward that traffic to the host in the LAN (10.100.37.21)
help.megacorp resolves to 217.142.187.114
The logs on the router and ASA5520 show nothing. I must have something basically wrong.
If you need more detail from the config let me know.
Thanks a million,
Pedro
09-17-2009 08:07 AM
Pedro,
The ASA will not act as an SSL proxy.
HTH>
09-17-2009 08:33 AM
SO what I want to do cant be done??
09-17-2009 08:54 AM
I finally got an error message on the FW:
No translation group found for tcp src Outside:76.195.192.74/2723 dst WebVLAN:10.100.37.21/443
09-17-2009 11:53 AM
Translation error gone....return traffic get to ASA now. But now I am getting:
Deny TCP reverse path check from 76.195.192.74 to 172.31.1.4 on interface outside_edgert_vlan10
Totally lost now....
09-17-2009 12:59 PM
09-17-2009 11:53 PM
Post your current config for review, remove sensitive information.
09-18-2009 05:10 AM
Hello Andrew,
This is the lastest drawing:
http://www.flickr.com/photos/31154535@N07/3931585864/sizes/o/
The traffic get translated fine at the ASA5520 coming in and gets to the 10.100.37.21 host. The return traffic gets to the ASA and thats when I see that error.
Just for fun I removed the statement:
ip verify reverse-path interface outside
And no change in behavior, however the ASA generates no errors.
09-18-2009 06:35 AM
Change the config using default ssl ports 443 all the way thru - without changing them.
09-18-2009 07:17 AM
OK but we use help.megacorp.com for SSL VPN users to connect to our offices ...
wont there be a problem??
09-18-2009 07:28 AM
I do not understand - your original posting was for help.megacorp.net ?
If you cannot change the acl/static nat on the asa - then then only thing I can suggest to you, is you must debug and troubleshoot.
And ehcek the forums for simular postings.
09-18-2009 07:43 AM
Sorry that was a typo ... I mean to say help.megacorp.net ....
I will keep banging my head on this and if I discover what the problem is I will let everyone know ..
Thanks for your help. I appreciate it very much.
Pedro
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: