Thanks for your time Jon.

1. The web server is protected by another firewall that I don't know the type of since I'm not responsible for that location. It is a third party web server.

2. It's not really 8.8.8.8 (I know it is a google dns server) but just to have something to referens in this issue. It is used on the wan interface on the customers ASA.

3. The web server will be accessed via the wan interface since it is not located on the same site but share the same public subnet with my customer since their ISP gives out ip addresses from the same /24 subnet. I guess it is to save a couple of public addresses.

4. To access the web server I must use a public address since I can't access it any other way. There is no other path but via the ISP.

I think this is a ASA specific issue since the third party haven't had this issue with other firewalls and I can access the web server if I remove the ASA and puts the public address on my laptop.

I hope this clarify the issue Jon.

Erik

I'm still not getting this sorry.

You have an ASA with an outside interface of 8.8.8.8 (i know these are dummy addresses). Is that correct ?

If so the web server has an IP from the same subnet. But the real web server sits behind another firewall.

So this web server must have a different real IP ?

How is the other firewall connected to the ASA ie. which interface on the ASA ?

Jon

I know that I'm not beeing clear, It's hard to explain. I have drawn a Visio sketch that I hope clarify my issue. I have nothing to do with the third party site only the Customer site.

Once again, thanks for your time.

Erik

Okay, so if you replace the ASA with a laptop using the 8.8.8.8 IP it all works ?

So are you doing NAT for the internal clients on the ASA eg.

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

assuming the clients are connected to the inside interface.

Jon

That is correct. If i connect a laptop with the public address instead it works. Also, it works from pretty much any other place as long as you are not behind an asa on the same subnet. I can for example connect from my office.

I am doing nat

global (outside) 1 interface

nat (inside) 0 access-list inside_VPNClients

nat (inside) 1 0.0.0.0 0.0.0.0

The clients are connected to the inside interface.

Erik

What does the arp table show when you try to connect through the ASA ?

From the ASA can you ping the other firewall IP ?

Jon

The ASA has a correct ARP entry for the host.

The other firewall does not respond to pings but other host in the public subnet responds to ping.

I don't know if i matters but I do get an entry in the log viewer.

Sorry, marked your anwer as correct by mistake but can't see anywhere to change it. Yes it is correct that that the mac address is the same as in my arp cache on the ASA.

Erik

Unfortunately you can't retract a correct answer mark.

Anyway, can you post the ASA config.

Also when you use the laptop with the public IP what is it's default gateway set to ?

Jon

The ISP only specify one gateway in that range and that is 8.8.8.1 so any other would not let me access internet.

Once again thank you for your time.

: Saved

:

ASA Version 8.2(1)

!

hostname ciscoasa

domain-name XXXXXXX

enable password XXXXXXX encrypted

passwd XXXXXXX encrypted

names

name 8.8.8.8 Outside_IP

name 192.168.20.2 Server

name 192.168.20.11 rav-dc01

name 192.168.20.12 rav-ms01

name 192.168.20.13 rav-rds01

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.20.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address Outside_IP 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa821-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name XXXXXXX

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list inside_nat0_outbound extended permit ip any 192.168.25.0 255.255.255.0

access-list RemoteVPNSplittunnel standard permit 192.168.20.0 255.255.255.0

access-list outside_access_in extended permit tcp host 100.100.100.228 interface outside eq 3389

access-list outside_access_in extended permit tcp any interface outside eq smtp

access-list outside_access_in extended permit udp any interface outside eq 4125

access-list outside_access_in extended permit tcp any interface outside eq 4125

access-list outside_access_in extended permit tcp any interface outside eq https

access-list outside_access_in extended permit tcp any interface outside eq pptp

access-list outside_access_in extended permit tcp any interface outside eq 444

access-list outside_access_in extended permit gre any interface outside

access-list outside_access_in extended permit udp any interface outside eq 444

access-list outside_access_in extended permit tcp any interface outside eq www

access-list inside_access_in extended permit tcp host rav-ms01 any eq smtp

access-list inside_access_in extended deny tcp any any eq smtp

access-list inside_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool RemoteVPNPool 192.168.25.100-192.168.25.200 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) udp interface 4125 Server 4125 netmask 255.255.255.255

static (inside,outside) tcp interface 4125 Server 4125 netmask 255.255.255.255

static (inside,outside) tcp interface https rav-ms01 https netmask 255.255.255.255  dns

static (inside,outside) tcp interface pptp Server pptp netmask 255.255.255.255

static (inside,outside) tcp interface 3389 rav-rds01 3389 netmask 255.255.255.255  dns

static (inside,outside) tcp interface smtp rav-ms01 smtp netmask 255.255.255.255

static (inside,outside) udp interface 444 Server 444 netmask 255.255.255.255

static (inside,outside) tcp interface 444 Server 444 netmask 255.255.255.255

static (inside,outside) tcp interface www Server www netmask 255.255.255.255  dns

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 8.8.8.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server rav_Intern protocol radius

aaa-server rav_Intern (inside) host rav-dc01

key CiscoAsa5505RAV2012

radius-common-pw CiscoAsa5505RAV2012

http server enable 8080

http 192.168.20.0 255.255.255.0 inside

http 192.168.25.0 255.255.255.0 inside

http 100.100.101.128 255.255.255.192 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection timewait

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

telnet 192.168.20.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.20.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config outside

!

dhcpd address 192.168.20.190-192.168.20.200 inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server rav-dc01 source inside

webvpn

group-policy RemoteVPN internal

group-policy RemoteVPN attributes

wins-server value 192.168.20.11

dns-server value 192.168.20.11

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value RemoteVPNSplittunnel

default-domain value rav.nu

split-dns value rav.nu

username SupportVPN password XXXXXXX encrypted privilege 0

username SupportVPN attributes

vpn-group-policy RemoteVPN

tunnel-group RemoteVPN type remote-access

tunnel-group RemoteVPN general-attributes

address-pool RemoteVPNPool

authentication-server-group rav_Intern

accounting-server-group rav_Intern

default-group-policy RemoteVPN

tunnel-group RemoteVPN ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect pptp

  inspect icmp

  inspect icmp error

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:8481ab3aa01b23bad17bacb2aca7197a

: end

asdm image disk0:/asdm-621.bin

no asdm history enable

Erik

I can't see anything obviously wrong with your config.

That ARP colliision request message does suggest an issue. It basically means the ASA is seeing the same mac address for two different IP addresses.

You could try a "debug arp" (or "debug ip arp") to see if that reveals anything.

Jon