TCP att 126.96.36.199:80 Inside 172.25.2.119:3691, idle 0:00:10, bytes 0, flags saA
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN, B - initial SYN from outside, b - TCP state-bypass or nailed, C - CTIQBE media, D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN, G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data, i - incomplete, J - GTP, j - GTP data, K - GTP t3-response k - Skinny media, M - SMTP data, m - SIP media, n - GUP O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection, q - SQL*Net data, R - outside acknowledged FIN, R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN, s - awaiting outside SYN, T - SIP, t - SIP transient, U - up, V - VPN orphan, W - WAAS, X - inspected by service module
saA means that the host on the inside is waiting for a syn ack from the outside host. The webserver isn't responding back. The logs would problem say syn timeout.
When you say you are able to load the same site from the outside, what IP address are you looking like when you access this same website from the outside? Take that same IP address and use that to translate the inside host on the firewall and try to access the same page and see if it works.
Basically I did not the ip address for the testing; I was using the DNS name of the website for the test and it translate to the same IP address. (it also showed up the same IP public ip addresses in both firewalls ASA5510 and PIX).
1. the following is the a trace from the location has saA error message:
1 <1 ms <1 ms <1 ms 2 1 ms 1 ms 1 ms 3 1 ms <1 ms <1 ms 188.8.131.52 4 2 ms 1 ms 1 ms cr84.cgcil.ip.att.net [184.108.40.206] 5 2 ms 1 ms 1 ms cr2.cgcil.ip.att.net [220.127.116.11] 6 1 ms 1 ms 1 ms ggr3.cgcil.ip.att.net [18.104.22.168] 7 1 ms 1 ms 1 ms 22.214.171.124 8 77 ms 3 ms 213 ms te3-4.mpd01.ord03.atlas.cogentco.com [126.96.36.199 34] 9 69 ms 217 ms 2 ms te2-4.mpd01.ord01.atlas.cogentco.com [188.8.131.52 05] 10 165 ms 193 ms 27 ms te9-2.mpd03.jfk02.atlas.cogentco.com [154.54.29. 162] 11 103 ms 103 ms 103 ms te3-2.mpd02.lon01.atlas.cogentco.com [184.108.40.206 0] 12 112 ms 112 ms 112 ms te3-8.ccr01.lon01.atlas.cogentco.com [130.117.1. 133] 13 121 ms 121 ms 121 ms te1-2.ccr01.dub01.atlas.cogentco.com [130.117.0. 130] 14 122 ms 122 ms 122 ms 220.127.116.11 15 112 ms 112 ms 112 ms ge6-3.sw002.cwt.esat.net [18.104.22.168] 16 111 ms 111 ms 111 ms vlan54.sw502.cwt.esat.net [22.214.171.124] 17 111 ms 111 ms 111 ms ge5-2.sw532.cwt.esat.net [126.96.36.199] 18 emc-gw.cr532.cwt.esat.net [188.8.131.52] reports: Destination net unreac hable.
2. this trace is from the location can view the website:
1 2 ms <1 ms 1 ms 2 1 ms <1 ms <1 ms core3.te2-2-bbnet2.chg.pnap.net [184.108.40.206] 3 1 ms <1 ms <1 ms GigabitEthernet5-0.GW1.CHI13.ALTER.NET [157.130. 102.245] 4 1 ms <1 ms <1 ms 0.so-6-2-0.XL4.CHI13.ALTER.NET [220.127.116.11] 5 27 ms 27 ms 28 ms 0.so-3-0-0.IL4.NYC9.ALTER.NET [18.104.22.168] 6 27 ms 27 ms 26 ms so-1-0-0.IL2.NYC12.ALTER.NET [22.214.171.124] 7 112 ms 112 ms 112 ms so-1-0-0.XT1.DUB2.ALTER.NET [126.96.36.199] 8 112 ms 112 ms 105 ms gigabitethernet8-0-0.gw5.dub2.alter.net [158.43. 152.39] 9 * * 188.8.131.52 reports: Destination net unreachable.
I don't understand why both destinations are unreachable but one can see and another cannot. It looks like the first traceroute is a routing or BGP peering issue. But I don't understand why the second one is working.
KS, also I don't understand what do you want me to test? You mentioned "Take that same IP address and use that to translate the inside host on the firewall and try to access the same page and see if it works."
1. You mentioned you were able to access the website by name on the outside correct? You were uisng a pc or laptop for this test. What IP address did you give this laptop? Some public IP address correct? I suggested to use the same IP address on the firewall to translate the inside host and see if the same website works. For example on the inside host behind the firewall if you were to go to http://ipchicken.com it should show you the same IP address that you gave the PC/laptop to test from the outside.
2. It appears like the website on the internet selectively responds back to certain IP addresses but not to others. We have seen cases like this.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...