Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

PAT Problem

Hello,

I am starting over with a drawing.

http://www.flickr.com/photos/31154535@N07/3929040630/sizes/o/

The user out in the cloud is a client who wants to connect to https://www.help.megacorp.net:9443

Then I want the ASA do PAT on 9443 to 443 and forward that traffic to the host in the LAN (10.100.37.21)

help.megacorp resolves to 217.142.187.114

The logs on the router and ASA5520 show nothing. I must have something basically wrong.

If you need more detail from the config let me know.

Thanks a million,

Pedro

11 REPLIES

Re: PAT Problem

Pedro,

The ASA will not act as an SSL proxy.

HTH>

New Member

Re: PAT Problem

SO what I want to do cant be done??

New Member

Re: PAT Problem

I finally got an error message on the FW:

No translation group found for tcp src Outside:76.195.192.74/2723 dst WebVLAN:10.100.37.21/443

New Member

Re: PAT Problem

Translation error gone....return traffic get to ASA now. But now I am getting:

Deny TCP reverse path check from 76.195.192.74 to 172.31.1.4 on interface outside_edgert_vlan10

Totally lost now....

Re: PAT Problem

Post your current config for review, remove sensitive information.

New Member

Re: PAT Problem

Hello Andrew,

This is the lastest drawing:

http://www.flickr.com/photos/31154535@N07/3931585864/sizes/o/

The traffic get translated fine at the ASA5520 coming in and gets to the 10.100.37.21 host. The return traffic gets to the ASA and thats when I see that error.

Just for fun I removed the statement:

ip verify reverse-path interface outside

And no change in behavior, however the ASA generates no errors.

Re: PAT Problem

Change the config using default ssl ports 443 all the way thru - without changing them.

New Member

Re: PAT Problem

OK but we use help.megacorp.com for SSL VPN users to connect to our offices ...

wont there be a problem??

Re: PAT Problem

I do not understand - your original posting was for help.megacorp.net ?

If you cannot change the acl/static nat on the asa - then then only thing I can suggest to you, is you must debug and troubleshoot.

And ehcek the forums for simular postings.

New Member

Re: PAT Problem

Sorry that was a typo ... I mean to say help.megacorp.net ....

I will keep banging my head on this and if I discover what the problem is I will let everyone know ..

Thanks for your help. I appreciate it very much.

Pedro

234
Views
0
Helpful
11
Replies
CreatePlease to create content