Solved

troubleshoot NAT

Posted on 2008-10-24
7
1,393 Views
Last Modified: 2012-05-05
I have a NAT rule setup on the firewall our ASA 5510 that doesn't seem to be working all of a sudden, but all other rules are. When my external users try to access the internal app server by going to the web address or IP address it just times out. Internally everyone can get to the server either by IP or by name so I know the server is up and working. My external users can get to OWA and other app servers by web address or IP, but just not this one that is having a problem.

Externally, I cannot ping this one server by web address or IP, but I can successfully ping all other app servers.  No configuration changes have been made on the firewall or on the server. I have already restarted the server and I am still not able to access it from outside the firewall.

Any help would be appreciated. Thanks!
0
Comment
Question by:saintboxer
  • 3
  • 3
7 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 22798238
So you are saying that it was working and now it is not?

What changes were made to the ASA configuration between the time it was working and now?
What changes were made to the server between the time it was working and now?

Could the servers inside address have changed and so the ASA box is NAT'ing the wrong internal address?

Can you post (cleaned up of course) all relevant ASA configuration information?
0
 

Author Comment

by:saintboxer
ID: 22798525
Yes, it was working yesterday and today it stopped working.

No configuration changes have been made on the firewall or on the server.

The internal IP has not changed. Internally I can access the server using the original IP.

I am a newbie to Cisco, so could you explain how to export the ASA configuration.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 22798556
The easiest way to get the ASA configuration is to use tftp.  Setup a tftp server on your PC, then ssh to the ASA box, and issue the command:

    copy running tftp:

Then fill the required information as prompted.  Then you can use a text editor (write/wordpad/winword) to edit the file to just get the necessary parts.
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 7

Expert Comment

by:geergon
ID: 22805026
Hi! Sir!

Please post the configuration of the ASA, maybe the lines you think are involved.
My recommendation is to troubleshoot this thing with captures and the packet-tracer command.

I mean use an access list to specify the interesting traffic. Source to destination and destination to source.
Then bind this AC with a capture in Outside interface or inside, depends of what you want also you can capture one of the servers that works. Then you can see if the packets arrives.

Or maybe you can simulate a packet to see in what step the packet is dropped by the firewall. with packet-tracer command. It could be anything please add more details. NAT you are using, access lists, ...

Bye
0
 

Author Comment

by:saintboxer
ID: 22909763
We restarted the firewall and everything started working again. Not sure why it quit working in the first place.

Thanks for the comments
0
 
LVL 57

Expert Comment

by:giltjr
ID: 22909986
My guess is that  somebody changed something and did not do a write.  So when you restarted the firewall the working config got reloaded.

Do you have anything that monitors and logs configuration changes and who made them?
0
 

Accepted Solution

by:
saintboxer earned 0 total points
ID: 23220281
No we do not monitor configuration changes.
I will consider this question closed.

Thanks for the comment.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Single host traffic only allowed through ASA--strange. 4 42
BGP Code 12 42
Cisco Router / Switch - NAT 10 37
CISCO ATA 190 using PRI DID number 6 25
Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now