Solved

troubleshoot NAT

Posted on 2008-10-24
7
1,398 Views
Last Modified: 2012-05-05
I have a NAT rule setup on the firewall our ASA 5510 that doesn't seem to be working all of a sudden, but all other rules are. When my external users try to access the internal app server by going to the web address or IP address it just times out. Internally everyone can get to the server either by IP or by name so I know the server is up and working. My external users can get to OWA and other app servers by web address or IP, but just not this one that is having a problem.

Externally, I cannot ping this one server by web address or IP, but I can successfully ping all other app servers.  No configuration changes have been made on the firewall or on the server. I have already restarted the server and I am still not able to access it from outside the firewall.

Any help would be appreciated. Thanks!
0
Comment
Question by:saintboxer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 22798238
So you are saying that it was working and now it is not?

What changes were made to the ASA configuration between the time it was working and now?
What changes were made to the server between the time it was working and now?

Could the servers inside address have changed and so the ASA box is NAT'ing the wrong internal address?

Can you post (cleaned up of course) all relevant ASA configuration information?
0
 

Author Comment

by:saintboxer
ID: 22798525
Yes, it was working yesterday and today it stopped working.

No configuration changes have been made on the firewall or on the server.

The internal IP has not changed. Internally I can access the server using the original IP.

I am a newbie to Cisco, so could you explain how to export the ASA configuration.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 22798556
The easiest way to get the ASA configuration is to use tftp.  Setup a tftp server on your PC, then ssh to the ASA box, and issue the command:

    copy running tftp:

Then fill the required information as prompted.  Then you can use a text editor (write/wordpad/winword) to edit the file to just get the necessary parts.
0
Webinar May 25: Cloud Security Strategies for SMBs

Small and mid-sized businesses are a driving force behind cloud adoption, and it’s no wonder: cloud benefits are BIG.  But for all the convenience that moving to the cloud provides, where does security come into play?

 
LVL 7

Expert Comment

by:geergon
ID: 22805026
Hi! Sir!

Please post the configuration of the ASA, maybe the lines you think are involved.
My recommendation is to troubleshoot this thing with captures and the packet-tracer command.

I mean use an access list to specify the interesting traffic. Source to destination and destination to source.
Then bind this AC with a capture in Outside interface or inside, depends of what you want also you can capture one of the servers that works. Then you can see if the packets arrives.

Or maybe you can simulate a packet to see in what step the packet is dropped by the firewall. with packet-tracer command. It could be anything please add more details. NAT you are using, access lists, ...

Bye
0
 

Author Comment

by:saintboxer
ID: 22909763
We restarted the firewall and everything started working again. Not sure why it quit working in the first place.

Thanks for the comments
0
 
LVL 57

Expert Comment

by:giltjr
ID: 22909986
My guess is that  somebody changed something and did not do a write.  So when you restarted the firewall the working config got reloaded.

Do you have anything that monitors and logs configuration changes and who made them?
0
 

Accepted Solution

by:
saintboxer earned 0 total points
ID: 23220281
No we do not monitor configuration changes.
I will consider this question closed.

Thanks for the comment.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question