troubleshoot NAT

I have a NAT rule setup on the firewall our ASA 5510 that doesn't seem to be working all of a sudden, but all other rules are. When my external users try to access the internal app server by going to the web address or IP address it just times out. Internally everyone can get to the server either by IP or by name so I know the server is up and working. My external users can get to OWA and other app servers by web address or IP, but just not this one that is having a problem.

Externally, I cannot ping this one server by web address or IP, but I can successfully ping all other app servers.  No configuration changes have been made on the firewall or on the server. I have already restarted the server and I am still not able to access it from outside the firewall.

Any help would be appreciated. Thanks!
saintboxerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

giltjrCommented:
So you are saying that it was working and now it is not?

What changes were made to the ASA configuration between the time it was working and now?
What changes were made to the server between the time it was working and now?

Could the servers inside address have changed and so the ASA box is NAT'ing the wrong internal address?

Can you post (cleaned up of course) all relevant ASA configuration information?
0
saintboxerAuthor Commented:
Yes, it was working yesterday and today it stopped working.

No configuration changes have been made on the firewall or on the server.

The internal IP has not changed. Internally I can access the server using the original IP.

I am a newbie to Cisco, so could you explain how to export the ASA configuration.
0
giltjrCommented:
The easiest way to get the ASA configuration is to use tftp.  Setup a tftp server on your PC, then ssh to the ASA box, and issue the command:

    copy running tftp:

Then fill the required information as prompted.  Then you can use a text editor (write/wordpad/winword) to edit the file to just get the necessary parts.
0
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

geergonCommented:
Hi! Sir!

Please post the configuration of the ASA, maybe the lines you think are involved.
My recommendation is to troubleshoot this thing with captures and the packet-tracer command.

I mean use an access list to specify the interesting traffic. Source to destination and destination to source.
Then bind this AC with a capture in Outside interface or inside, depends of what you want also you can capture one of the servers that works. Then you can see if the packets arrives.

Or maybe you can simulate a packet to see in what step the packet is dropped by the firewall. with packet-tracer command. It could be anything please add more details. NAT you are using, access lists, ...

Bye
0
saintboxerAuthor Commented:
We restarted the firewall and everything started working again. Not sure why it quit working in the first place.

Thanks for the comments
0
giltjrCommented:
My guess is that  somebody changed something and did not do a write.  So when you restarted the firewall the working config got reloaded.

Do you have anything that monitors and logs configuration changes and who made them?
0
saintboxerAuthor Commented:
No we do not monitor configuration changes.
I will consider this question closed.

Thanks for the comment.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.