Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
715
Views
0
Helpful
1
Replies

Question regarding NAT and directed-mode

Go to solution
fisherstephen
Level 1
Level 1

‎01-15-2012 02:55 AM

Hello,

I have two WAE 574 devices and a CM 274 all running code level 4.3.1.6, The CM is behind a PIX firewall. There is no firewall between the branch and core WAE. The branch device is behind a NAT router. The CM and SSL ASA rea behind a PIX 515 firewall. The branch WAE is running inline mode and the core WAE is using WCCP redirection. Both the CM and SSL ASA are reverse NATted on the PIX firewall. The branch WAE has the primary interface unchecked on the CM and is using the NAT address.

I am getting asymmetric route issues. This is because for some reason the NAT address of the branch WAE sends the SYN which is responded to but the ACK is coming from the unnatted private address. When I turn off directed mode I can see optimisation start for some sessions but not for the SSL

ASA.

Example

Branch WAE Private 192.68.1.45

Branch WAE Public 206.99.88.10

CM private 192.168.20.9

CM public 240.10.10.20

PIX log

an 15 2012 11:50:58: %PIX-6-106015: Deny TCP (no connection) from 192.68.1.45/46871 to 240.10.10.20/443 flags PSH ACK on interfe

Although the PIX NATs the CM address, the core WAE is still still seeing it's private address.

Do you have any idea what could be causing this ?

Best regards

Stephen

Jan 15 2012 11:51:12: %PIX-5-106100: access-list DMZ_access_in denied tcp DMZ/192.168.20.9(443) -> outside/206.99.88.10(46871) hit-cnt 1 f]

Jan 15 2012 11:51:31: %PIX-6-106015: Deny TCP (no connection) from 192.68.1.45/46871 to 240.10.10.20/443 flags PSH ACK on interfe

Jan 15 2012 11:51:37: %PIX-6-106015: Deny TCP (no connection) from 192.68.1.45/46847 to 240.10.10.20/443 flags PSH ACK on interfe

Jan 15 2012 11:52:08: %PIX-6-106015: Deny TCP (no connection) from 192.68.1.45/49634 to 240.10.10.20/443 flags PSH ACK on interfe

Jan 15 2012 11:52:10: %PIX-5-106100: access-list outside_access_in permitted tcp outside/206.99.88.10(23183) -> DMZ/240.10.10.20(443) ]

Jan 15 2012 11:52:10: %PIX-6-302013: Built inbound TCP connection 1475554768 for outside:206.99.88.10/23183 (206.99.88.10/23183) to DMZ:WAD)

Jan 15 2012 11:52:10: %PIX-6-106015: Deny TCP (no connection) from 192.68.1.45/23183 to 240.10.10.20/443 flags ACK on interface e

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Daniel Arrondo Ostiz
Cisco Employee
Cisco Employee

‎01-16-2012 01:28 AM

Hi Stephen,

To troubleshoot this further, we would need to get a topology diagram of your network, as well as the configurations from all devices, so it would probably be better if you open a TAC service request.

Regards

Daniel

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Daniel Arrondo Ostiz
Cisco Employee
Cisco Employee

‎01-16-2012 01:28 AM

Hi Stephen,

To troubleshoot this further, we would need to get a topology diagram of your network, as well as the configurations from all devices, so it would probably be better if you open a TAC service request.

Regards

Daniel

0 Helpful
Customers Also Viewed These Support Documents