When you say you are natting the computer through the ASA to the same IP address are you using nat/global or static 1-1? Not that it matters.

sh xlate debug | i x.x.x.x

shows that it is getting translated to the correct IP that you expect?

Once you configure the translation the firewall will proxy arp for that IP address so, the router upstream should update the MAC address even if it had the PC's MAC from when it was outside.

On the outside routers issue a "sh arp | i x.x.x.x" and see what mac address it shows whether the ASA's outside MAC or the PC's MAC from when it was outside. If you see the PC's MAC then, issue clear arp like halijenn said.

Refer this document that I put together based on your previous thread regarind unable to load certain websites.

https://supportforums.cisco.com/docs/DOC-8982

-KS

Thanks, but the clear arp and rebooting and the problem persists.

I don't see how this would be an arp problem since I can get to any web page, but the one I'm having problems with.

The sh xlate shows the translation taking place correctly. (either using dynamic or static nat).

I went to whatismyip.com and I get translated to the same address (when going through the ASA or when bypassing the ASA).

The only thing I can think of is the TCP MSS which I decrease but same results.

I don't understand why the captures through the ASA, never shows return traffic.

The moment I clear the arp, reload the router, and try with the laptop using the same IP, everything works without a problem.

There are so many increments in the asp drop table that I can't really tell which entry increments when the problem happens.

I have followed the document, and everything that you mentioned there is already checked.

Not sure where to go from here....

Federico.

Hi Federico,

Could you please explain before I can understand it clearly.

1. You said when you connect ur computer directly to the router with IP 201.193.188.114 u can open the website but if you connect the same computer behind ASA 5520 using same IP the page cannot be displayed.

Should I consider that you had put one router connected to the ISP doing NAT for inside traffic using an public IP range supplied by your ISP and you have one ASA connected to the same ISP doing NAT for inside traffic using the same public IP range and you are shifting your computer from router to ASA using same IP or what?

2. do you have a router which is internet facing and ASA behind this router which is then connected to your inside LAN and doing NAT for traffic going outside then how are the IP's configured btw router and firewall and NAT is configured where

3. You can try Packet-Tracer on the ASA to check what happens to the packet once it reaches inside using ASDM or CLI

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml

http://www.cisco-secure.com/en/US/docs/security/asa/asa82/command/reference/p.html#wp1913020

When you apply captures you see the SYN leave the outside interface destined to me.com but, SYN ACK never arrives when the client is behind the ASA. Is this correct?

Honestly I dont' think it is the ASA.

When you issue "sh cap cap_name detail" which mac address is the ASA sending the SYN to? and who own's this MAC? the router on the outside?

If this checks out then, is the router receiving the SYN ACK from me.com? If so what is it doing with the SYN ACK and not sending it to the firewall?

-KS

Yes,

I can connect to the webpage if I give my computer the public IP directly (just directly connected to the ISP router).
If I connect the ASA and configure a dynamic/static NAT for that same IP to my computer, I cannot longer connect.
Note that I only cannot connect to that page (everything else works, as fas as we have tested).

The packet-tracer shows the connection should be fine.

When I do the captures on the ASA (both on the inside and outside interfaces), I see the SYN getting out but never a reply back.

The ASA is sending the SYN to the outside router.

Here is the weird thing... I don't see the SYN ACK getting back to the router either.

Federico.

Hi Federico,

So you have an internet faced router in front of your ASA and you have configured ASA with dynamic NAT on it.

In this senario you will have following on the ASA

ACL on Inside Interface allowing your computer IP (172.16.0.10) to any destination on port 80

global (outside) which IP you want your computer to become - e.g. public IP provide by ur ISP

nat (inside) From which network the traffic is coming from e.g. 172.16.0.0/16

That is it.

Now do you have any NAT / PAT configured on the router also (which is not likely from you statements) but even if you have; can you paste your configs, if you can that is.

Also while doing the NAT on your ASA try NATTING ur IP to some different IP (if your ISP has provided u set of IP, only then you would be able to do this) what I mean to say is that don't NAT it to the same IP , which you configured on your laptop while connected directly to your router and performing test.

Which router is this?

I've tried it with a 2811 and a 1841.

There's no NAT on this router.

The ISP gave us a WAN and a LAN range of public IP's, which I'm using the LAN range for NAT.

I've tried it with several different IPs from the LAN range with the same behavior.

I've tried several different NAT configurations on the ASA (dynamic NAT/static)

I don't see any changes in doing all of the above.

Federico.

Please share the router and ASA config when it's not working. Especially the interface, routing, and translation configuration.

Correct.

I'll try it and let you guys know.

Thank you.

Federico.

Turns out to be an ISP issue.

When I tried to access the web page going through the ASA, I was getting out using the same public IP, but the internal DNS.

When I connected my computer directly to the ISP, I was setting manually a public DNS (4.2.2.2)

Previously, the ISP was not helpful, but finally they told us that there was a problem with their routing.

Not sure what exactly they did and now it is working.

I noticed that using our internal DNS or using a public DNS was resolving a different IP for the web page, and the ISP routing was affecting.

Thank you everybody for trying to help! This forum is great!

Federico.