Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

Static NAT not working on 5520

hi all,

i created a static NAT (and inbound ACL to allow only HTTPS) for one of our riverbed to be accessed from the internet.

pings are ok but can't seem to get the public IP accessible.

packet tracer passed on both direction.

any ideas?

inside: 172.27.14.250

outside: 202.x.x.180

 

RIVERBED (172.27.14.250) <> ROUTER (172.27.14.249) <> 5520 <> INTERNET

 

ROUTER#ping 8.8.8.8 so 172.27.14.249

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 172.27.14.249
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/68/80 ms

 

5520# ping 172.27.14.250
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.27.14.250, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

 

access-list OUTSIDE line 10 extended permit tcp any host 172.27.14.250 eq https (hitcnt=81) 0x0f9fbd35

 

5520# packet-tracer input outside tcp 1.1.1.1 443 202.x.x.180 443

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network RVB
 nat (inside,outside) static 202.x.x.180 dns
Additional Information:
NAT divert to egress interface inside
Untranslate 202.x.x.180/443 to 172.27.14.250/443

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE in interface outside
access-list OUTSIDE extended permit tcp any host 172.27.14.250 eq https
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:       
Additional Information:

Phase: 4
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network RVB
 nat (inside,outside) static 202.x.x.180 dns
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 686320857, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

 

7 REPLIES
New Member

Hi, can you paste the nat

Hi, can you paste the nat configuration + object definition ?

Hi,Apologies I forgot. It's

Hi,

Apologies I forgot. It's just a simple NAT rule:

object network RVB

 host 172.27.14.250

 nat (inside,outside) static 202.x.x.180 dns

VIP Purple

The config looks fine and the

The config looks fine and the packet-tracer shows that the NAT is working and the packet gets through. The next thing to test is if the riverbead already listens to tcp/443:

asa# ping tcp 172.27.14.250 443

And how did you test it?

When using a browser from the outside, issue the following command directly after doing the test:

asa# sh conn | inc 172.27.14.250

There you see in which state the connection is, the meaning of the flags are shown with

asa# show conn detail 

 

hi karsten,ping tcp isn't

hi karsten,

ping tcp isn't supported on this image. it seems i'm not getting SYN ACK from the riverbed device (correct me if i'm wrong).

i also saw earlier in ASDM real-time log viewer that SYN timed out.

i also checked earlier the static route entries in riverbed seem to be correct (see attached). i'm tempted reload the riverbed but i need to check/cover other things first. any idea?

appreciate your help. i've been troubleshooting and scratching my head on this one.

 

5520# ping tcp ?
ERROR: % Unrecognized command

5520# sh ve

Cisco Adaptive Security Appliance Software Version 8.3(2)34

 

5520# sh conn | i 172.27.14.250    
TCP outside 222.165.x.2:1713 inside 172.27.14.250:443, idle 0:00:03, bytes 0, flags SaAB  << USED INTERNET AT HOME
5520# sh conn det | i 172.27.14.250
TCP outside:222.165.x.2/1713 inside:172.27.14.250/443,

VIP Purple

The "show conn" also shows

The "show conn" also shows (same as your log) that nothing comes back after the ASA forwards the packet to the Riverbed. Knowing that, you should continue troubleshooting there.

For your used ASA-version, upgrading to the newest v8.4 is highly recommended.

Hi Karsten,To me routing wise

Hi Karsten,

To me routing wise is fine.  Is there a way to configure or trick the NAT policy?

VIP Purple

Not sure what you want to

Not sure what you want to "trick" on the ASA as the NAT is fine there. Now you must look at the Riverbed:

  1. Is the traffic reaching the device?
  2. Is the internal server reachable?
  3. Will the Riverbed route back to the ASA?
109
Views
5
Helpful
7
Replies
CreatePlease to create content