Hello Jon,

Thanks for responding, I just used route-maps just because it was another way of doing natting. I simplified the config but it contains more than 100 web servers being natted. The 172.25.x.x is a dmz network where it connects with another firewall that does another natting for the web servers who have a 192.168.x.x address to the 172.25.x.x range. To make sure the firewall is not the issue, I plugged a laptop with 172.25.x.x ip and was still able to view the web server fine. There was no log of any router accessing the server on the firewall, which makes me believe the issue lies with the router.

The 3rd interface on the router is just a management interface that is not involved in the natting process in any way.

I absolutely am not trying to redesign your network but I don't understand why you are doing NAT for the web servers twice if the web servers are behind a firewall.

The laptop test doesn't fully rule out the firewall although it suggests it does because the source IPs to the web servers are never going to be 172.25.x.x unless I have misunderstood what you are saying.

Not trying to be critical at all I just can't see anything fundamentally wrong with the router configuration so trying to work out what else it could be.

Presumably the web servers have the default gateway of the firewall or are connected to a L3 device which has route to the firewall ?

And you say there are over 100 web servers.

Does this mean you have over 100 public IPs ?

The only thing I would try is to remove the route map from one of your web server's NAT translations and see if that makes a difference.

I'm not sure it will but if all your routing is in place and your firewall is allowing traffic through I'm not sure where the problem lies.

Jon

The network has been in place and configured as such by a previous administrator; it will be a lot to try and convince my manager since they do follow a best practice of securing your internal network behind 2 NAT configuration. I prefer the router to sit behind the firewall myself just so i dont have to do security configuration twice.

I do have over 100 web servers and a whole \24 subnet of public ip's. I shortened the config since the route-map config for the rest of the webservers are the same as the two i have listed here

You can ping the webservers 172.25.x.x address from the router so the firewall is able to do the NAT translation for the webservers fine and yes the webservers have the firewall as their default gateway.The laptop test was just to see if the issue lies with the firewall not knowing how to respond to the request since its default gateway is the other firewall appliance that I am trying to replace with this router.

If the webservers can respond to a ping request but not a web request(port 80) is the reason I am leaning more towards the router being the issue but like you said I just dont see a problem with the config. Since i am in the testing phase, i can re-write the whole router config to a basic nat configuration without the route-maps but it is bugging me why the route-map config doesnt work since i can browse the internet fine internally.

I do appreciate your assistance Jon, I needed another eyes just so i am not pulling my hair more

The laptop test was just to see if the issue lies with the firewall not knowing how to respond to the request since its default gateway is the other firewall appliance that I am trying to replace with this router.

If the firewalls default gateway is not the router then it won't work unless I have misunderstood what you are saying.

Your laptop test works because the firewall has an interface in the 172.25.x.x range and that is also why you can ping from the router.

But connections from the internet will have source IPs of anything and your firewall will have to use it's default gateway which is not the router so traffic never gets routed back.

But how is the browsing working ie.if the firewall is using the other firewall as the default gateway then it must be going out via that and not the router.

Or have I misunderstood how it is setup ?

Jon

Sorry, you are probably correct in assuming that the default gateway on the firewall might be the issue. I have no way of knowing without changing the default gateway on the firewall itself to point to the new router which I am unable to do since the infrastructure is used 24\7.

I was guessing that the requests would be from the router itself on behalf of the public requests since I did not see any logs on the firewall itself that the webserver was being accessed(by router or the public ip I was using for a test{home computer}. Informational logs are enabled on the firewall. This is why I assumed it was the router again. I can check the huge syslog server to make sure again, i was checking the logs from ADSM and "term mon & debug ip nat" on the router

The browsing is fine just because i created another test network(only thing is missing is the actual natting of the internal networks). This test network was in the DMZ side in the 172.25.x.x

I will communicate with the manager that I have to schedule a downtime to do the switchover to make sure the firewall isnt the issue

Sorry if I havnt made it clear; too much information and I am trying to put only relevant info. I wanted to rule out any config errors on the router itself. I will update the forum when I can schedule a downtime to test this cutover

and yes it is a pain to schedule a downtime :)

thxs Jon

No need to apologise, I understand how it is.

An easy solution to this on a firewall would be to translate all source IPs ie.internet IPs to the inside interface IP and then the traffic has to go back to the firewall.

Unfortunately IOS only does overload inside to outside and won't do it the other way and has always been a bit of a pain.

But IOS does allow outside to inside dynamic NAT using a NAT pool if I remember correctly so if you knew your laptops public IP on the internet you may be able to run a test without needing an outage.

The order of IOS operations is different depending on which direction the traffic is going and this affects NAT but I already have a lab I was using for something else so if you think it's worthwhile I could run a quick test to see if it works and then at least you would know it isn't the NAT rules on the router.

If you do want to try can you just confirm that you don't need downtime if you needed to add a specific route to the firewall ie. nothing to do with the default route so it won't affect what you already have.

Up to you, let me know if you think it would be worthwhile doing.

Jon

I was thinking of entering

ip route 172.25.0.10 255.255.255.255 172.25.0.1 on the firewall to force it to go to the router

then i can just use the "no" at the beginning of the command to remove it after it is tested

Kinda of weary of doing it on a production appliance since I find ASA is sometimes finicky when you add and remove config lines and a reboot is needed to resolve the issue

Sorry, had to run to a meeting. I entered the route for the public ip on the firewall that points to the router but still no go.

The translation is occurring on the router but no access on public pc to web server.

On the router it shows:

"NAT: API parameters passed: src_addr:x.x.x.x, src-port:0 dest_addr:y.y.y.y, dest_port:0, proto:6 if_input:GigabitEthernet0/1 get_translated:1

" NAT:API Translated-Info(1): src_addr:x.x.x.x, src port(0) (dest_addr:172.25.0.10, dest-port:0)

There should be a want (80), got (80) on the router if the connection was successful

I also looked in the syslog's for the public ip i used to access the webserver but there is no entry

Good suggestion on your part Jon.

I think if there is any kind of traffic, it should show in the syslogs at the very least

Okay, I did a quick lab to test with the route map configuration you used and not surprisingly it worked fine so I don't think it is that unless your IOS version is behaving differently.

I also ran "debug ip nat detailed" and didn't see any want messages but again that is probably just IOS versions.

I did see the ports being translated properly though which you don't see to be.

Just a quick question, you say you have over 100  web servers and a /24 of public IPs so are some of the web servers listening on different ports and have you used port translations anywhere ie. your configuration above only shows one to one static mappings but you don't have 100 public IPs ?

Finally what does "sh ip nat translations" on the router show when you try to connect from the internet ?

Jon

The version on the router is 15.2(4)M3.

BUT, you made me think about the configuration again and look at other web servers. I was testing with 3 web servers which kept failing so i naturally assumed its the router or firewall and did not look beyond that.

I have tried some other servers and i am able to get to them just fine so I just happen to pick the only servers with some issue.

One last question, which might be the issue; i did have some route map's that have duplicate configuration since there are multiple websites hosted on that server and this webserver was one of them:

ip nat inside source static 172.25.0.30 A.B.C.K route-map Webserver1

route-map Webserver1 permit 5
 match interface GigabitEthernet0/1

so as you see the webserver1 has a static mapping to both 172.25.0.10 and 172.25.0.30 that reference the same route-map but they both have different public ip addresses. This could be the issue why i couldnt get to this webserver and i needed to create another route-map entry with a different name even though it is going to the same server.

If not, It is strange why these 2 servers would respond to the nat translated ip(172.25.x.x) from the firewall just fine and not from the outside world??