I have a NAT rule that seems to be failing on my ASA
The host is on a DMZ interface. Let's call it ACME-DMZ
the nat rule looks like this
object network obj-172.31.150.41
nat (ACME-DMZ,outside) static 22.214.171.124
the access-list on the ACME-DMZ interface is permit ip any any (for troubleshooting)
the access-list on the outside interface permits tcp 443 to the "real" address 172.31.150.41
security level on ACME-DMZ interface is 40
security level on outside is 0
When I do a packet trace in ASDM it gets through the ACLs and routes, but fails on the NAT, saying "packet dropped."
It doesn't say anything else. What is the issue here?
is this public ip 126.96.36.199 is dedicated for the server 172.31.150.41? If so then you should not have any issue with your NAT statement..... does firewall have a proper route to the server..... the other firewall firewall you have mentioned here right.... if that firewall is gateway of the host then you should have a proper routing and access rules allowed in that firewall......
Internet ---> (Out) <>ASA <>(DMZ)--------------->ASA(LAN)-->Server
In the above scenario you are doing NAT on the Internet ASA FW and server is in DMZ Zone where it has an another firewall inside the DMZ Zone.... You have already done NAT and Access Rules allowed in internet firewall..... in iNternet firewall you should have the static route to reach firewall....
say for eg: route ACME-DMZ 172.31.150.41 255.255.255.255 < DMZ ASA IP Address>
and in ASA DMZ you should have the routing pointed to internet ASA....