The device itself can ping and be pinged, so internet connectivity is good. The packet trace function says the inbound traffic *should* be permitted "RESULT - The packet is allowed." for any number of protocols I test, and the same with outbound traffic.
However, nothing gets through. Logging shows outbound connections get SYN timeouts, and inbound connections never reach the firewall itself.
It *seems* as if the firewall is not recognizing inbound requests for IP addresses it has NAT rules for.
There are multiple firewalls on the same internet routed segment, but the other firewalls all accept their inbound requests for the IPs that reside in their NAT lists without any problem.
I have enabled Proxy ARP on the external interface.
What am I missing? Thanks in advance!
names name 220.127.116.11 VL description VLremote name 18.104.22.168 comgmt description Monitoring Server dns-guard ! interface Ethernet0/0 nameif outside security-level 0 ip address 22.214.171.124 255.255.255.192 ! interface Ethernet0/1 shutdown no nameif no security-level no ip address ! interface Ethernet0/2 nameif inside security-level 100 ip address 10.1.1.35 255.255.255.0 ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! dns domain-lookup inside dns server-group DefaultDNS name-server 10.1.1.41 name-server 10.1.1.42 domain-name ilsasp.com same-security-traffic permit intra-interface object-group network CitrixServers description Citrix Xen App Servers network-object host 126.96.36.199 network-object host 188.8.131.52 network-object host 184.108.40.206 object-group network DBservers description database servers network-object host 10.1.1.43 network-object host 10.1.1.48 object-group network HostingLocs description Locations involved in monitoring network-object 220.127.116.11 255.255.255.224 network-object 18.104.22.168 255.255.255.192 network-object host 22.214.171.124 network-object host 126.96.36.199 object-group network ILSrhowell description ILS db admin access network-object host 188.8.131.52 network-object 184.108.40.206 255.255.255.0 network-object host 220.127.116.11 object-group network colocs description co secure remote locations network-object host 18.104.22.168 network-object host 22.214.171.124 object-group network WebServers description Servers hosting web applications network-object host 126.96.36.199 network-object host 188.8.131.52 network-object host comgmt object-group service citrix-sr tcp description SessionReliability port-object range 2598 2598 object-group service citrix-xml tcp description XML port-object range 5321 5321 object-group service CitrixXenApp tcp description All XenApp Services port-object eq citrix-ica group-object citrix-sr group-object citrix-xml object-group service DBmgmt tcp description ftp and rdp for ils db server management port-object eq ftp-data port-object eq ftp port-object range 3389 3389 object-group service cimweb tcp description Insight Manager Web Access port-object range 2301 2301 object-group service cim tcp description Insight Manager port-object range 280 280 group-object cimweb object-group service coservices tcp description Services allowed to secure co locations group-object CitrixXenApp port-object eq ftp-data port-object eq ftp port-object eq telnet port-object range 3389 3389 port-object eq https port-object eq echo port-object eq www group-object cim object-group service coservicesudp udp description UPD services permitted to secure co locations port-object eq time port-object eq echo object-group service MonitoringTCP tcp description TCP based monitoring services port-object eq echo group-object cim object-group service MonitoringUDP udp description Monitoring services via UDP port-object eq snmp port-object eq snmptrap port-object eq echo object-group service WebPorts tcp description http and https port-object eq https port-object eq www object-group network AllInternal description All internal IPs permitted outbound network-object 10.1.1.0 255.255.255.0 network-object 184.108.40.206 255.255.255.192 access-list outside_access_in remark Citrix PS aka XenApp access-list outside_access_in extended permit tcp any object-group CitrixServers object-group CitrixXenApp access-list outside_access_in extended permit tcp object-group ILSrhowell object -group DBservers object-group DBmgmt access-list outside_access_in remark Permitted access from co secure locs via T CP access-list outside_access_in extended permit tcp object-group colocs any objec t-group coservices access-list outside_access_in remark Permitted access from co secure locs via U DP access-list outside_access_in extended permit udp object-group colocs any objec t-group coservicesudp access-list outside_access_in extended permit ip host VL any access-list outside_access_in remark General web server access access-list outside_access_in extended permit tcp any object-group WebServers ob ject-group WebPorts access-list outside_access_in remark Mail alerts from Brewer access-list outside_access_in extended permit tcp host 220.127.116.11 host comgmt eq smtp access-list outside_access_in remark TCP monitoring access-list outside_access_in extended permit tcp object-group HostingLocs host comgmt object-group MonitoringTCP access-list outside_access_in remark UDP monitoring access-list outside_access_in extended permit udp object-group HostingLocs host comgmt object-group MonitoringUDP access-list outside_access_out extended permit ip object-group AllInternal any access-list inside_access_in remark Permit all outbound. access-list inside_access_in extended permit ip object-group AllInternal any arp timeout 14400 nat-control global (outside) 101 interface nat (inside) 101 10.1.1.128 255.255.255.128 static (inside,outside) comgmt 10.1.1.51 netmask 255.255.255.255 static (inside,outside) 18.104.22.168 10.1.1.52 netmask 255.255.255.255 static (inside,outside) 22.214.171.124 10.1.1.33 netmask 255.255.255.255 static (inside,outside) 126.96.36.199 10.1.1.32 netmask 255.255.255.255 static (inside,outside) 188.8.131.52 10.1.1.34 netmask 255.255.255.255 static (inside,outside) 184.108.40.206 10.1.1.41 netmask 255.255.255.255 static (inside,outside) 220.127.116.11 10.1.1.42 netmask 255.255.255.255 static (inside,outside) 18.104.22.168 10.1.1.43 netmask 255.255.255.255 static (inside,outside) 22.214.171.124 10.1.1.44 netmask 255.255.255.255 static (inside,outside) 126.96.36.199 10.1.1.45 netmask 255.255.255.255 static (inside,outside) 188.8.131.52 10.1.1.46 netmask 255.255.255.255 static (inside,outside) 184.108.40.206 10.1.1.48 netmask 255.255.255.255 static (inside,outside) 220.127.116.11 10.1.1.36 netmask 255.255.255.255 static (inside,outside) 18.104.22.168 10.1.1.37 netmask 255.255.255.255 static (inside,outside) 22.214.171.124 10.1.1.38 netmask 255.255.255.255 static (inside,outside) 126.96.36.199 10.1.1.50 netmask 255.255.255.255 access-group outside_access_in in interface outside access-group outside_access_out out interface outside access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 188.8.131.52 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute ! ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns migrated_dns_map_1 policy-map type inspect dns migrated_dns_map_1 message-length maximum 512 policy-map global_policy class inspection_default inspect dns migrated_dns_map_1 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context
Hmm... I suspect you came close with the xlate -- after trying to figure this out all afternoon, I left it alone to do some other work while I waited to see if anybody would answer here, and when I went to look at the log... it was working! Something was cached somewhere that was causing problems. Not sure exactly what, as this is a new box (just configured today), possibly something in an ISP router.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :