Question regarding NAT and directed-mode

Answered Question
Jan 15th, 2012
User Badges:

Hello,


I have two WAE 574 devices and a CM 274 all running code level 4.3.1.6, The CM is behind a PIX firewall. There is no firewall between the branch and core WAE. The branch device is behind a NAT router. The CM and SSL ASA rea behind a PIX 515 firewall. The branch WAE is running inline mode and the core WAE is using WCCP redirection. Both the CM and SSL ASA are reverse NATted on the PIX firewall. The branch WAE has the primary interface unchecked on the CM and is using the NAT address.


I am getting asymmetric route issues. This is because for some reason the NAT address of the branch WAE sends the SYN which is responded to but the ACK is coming from the unnatted private address. When I turn off directed mode I can see optimisation start for some sessions but not for the SSL

ASA.


Example

Branch WAE Private 192.68.1.45

Branch WAE Public 206.99.88.10

CM private 192.168.20.9

CM public 240.10.10.20


PIX log

an 15 2012 11:50:58: %PIX-6-106015: Deny TCP (no connection) from 192.68.1.45/46871 to 240.10.10.20/443 flags PSH ACK on interfe




Although the PIX NATs the CM address, the core WAE is still still seeing it's private address.


Do you have any idea what could be causing this ?


Best regards


Stephen

Jan 15 2012 11:51:12: %PIX-5-106100: access-list DMZ_access_in denied tcp DMZ/192.168.20.9(443) -> outside/206.99.88.10(46871) hit-cnt 1 f]

Jan 15 2012 11:51:31: %PIX-6-106015: Deny TCP (no connection) from 192.68.1.45/46871 to 240.10.10.20/443 flags PSH ACK on interfe

Jan 15 2012 11:51:37: %PIX-6-106015: Deny TCP (no connection) from 192.68.1.45/46847 to 240.10.10.20/443 flags PSH ACK on interfe

Jan 15 2012 11:52:08: %PIX-6-106015: Deny TCP (no connection) from 192.68.1.45/49634 to 240.10.10.20/443 flags PSH ACK on interfe

Jan 15 2012 11:52:10: %PIX-5-106100: access-list outside_access_in permitted tcp outside/206.99.88.10(23183) -> DMZ/240.10.10.20(443) ]


Jan 15 2012 11:52:10: %PIX-6-302013: Built inbound TCP connection 1475554768 for outside:206.99.88.10/23183 (206.99.88.10/23183) to DMZ:WAD)

Jan 15 2012 11:52:10: %PIX-6-106015: Deny TCP (no connection) from 192.68.1.45/23183 to 240.10.10.20/443 flags ACK on interface e

Correct Answer by Daniel Arrondo Ostiz about 5 years 7 months ago

Hi Stephen,


To troubleshoot this further, we would need to get a topology diagram of your network, as well as the configurations from all devices, so it would probably be better if you open a TAC service request.


Regards


Daniel

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Daniel Arrondo Ostiz Mon, 01/16/2012 - 01:28
User Badges:
  • Cisco Employee,

Hi Stephen,


To troubleshoot this further, we would need to get a topology diagram of your network, as well as the configurations from all devices, so it would probably be better if you open a TAC service request.


Regards


Daniel

Actions

This Discussion