Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

NAT Will Not Work

I have the following configured on an ASA running 9.1(2)

object network Webserver

Host  10.10.10.1

nat (DMZ,outside) static 208.2.3.4

Access-list knock_knock extended permit tcp any object Webserver eq http

Access-group knock_knock in interface outside

BUT.. I still cannot get to the the webserver from the outside(internet). so I captured some logs and found that the NAT and access list mentioned above are actually working (please see the attached screen capture)

DMZ Trouble.JPG

The NAT is definitely working since my independent test from the outside registers as "hits" each time I try to get to the HTTP server. The logs tell me that it Builds and Tears down the attempted connection instantaneously. Since I know that the NAT and the access list on the outside interface are both working components, troubleshooting them would be a waste of time. The Server itself can access the internet(outside) without any issues from behind the DMZ where it lives. I tested it's ability to do so by logging on and browsing the internet (yahoo, CNN etc..) so the basic principles of the server are fine (IP, Gateway Subnet connectivity etc..) 


What would you do at this point?


Thanks in advance


Everyone's tags (4)
2 REPLIES
New Member

NAT Will Not Work

Hey ,

Please check the output of the following command from the firewall.

#packet-tracer input dmz tcp http http

Thanks

VIP Green

NAT Will Not Work

If the packet tracer shows as allowed, I would do a packet capture.  This will give us a good idea if the packets is entering and leaving the outside interface, as well as entering and leaving the inside interface.  Please post the results here for further assistance.

here is a link on how to perform a packet capture:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110117-asa-capture-asdm-config.html

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
129
Views
0
Helpful
2
Replies
CreatePlease to create content