Solved

troubleshoot NAT

Posted on 2008-10-24
7
1,397 Views
Last Modified: 2012-05-05
I have a NAT rule setup on the firewall our ASA 5510 that doesn't seem to be working all of a sudden, but all other rules are. When my external users try to access the internal app server by going to the web address or IP address it just times out. Internally everyone can get to the server either by IP or by name so I know the server is up and working. My external users can get to OWA and other app servers by web address or IP, but just not this one that is having a problem.

Externally, I cannot ping this one server by web address or IP, but I can successfully ping all other app servers.  No configuration changes have been made on the firewall or on the server. I have already restarted the server and I am still not able to access it from outside the firewall.

Any help would be appreciated. Thanks!
0
Comment
Question by:saintboxer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 22798238
So you are saying that it was working and now it is not?

What changes were made to the ASA configuration between the time it was working and now?
What changes were made to the server between the time it was working and now?

Could the servers inside address have changed and so the ASA box is NAT'ing the wrong internal address?

Can you post (cleaned up of course) all relevant ASA configuration information?
0
 

Author Comment

by:saintboxer
ID: 22798525
Yes, it was working yesterday and today it stopped working.

No configuration changes have been made on the firewall or on the server.

The internal IP has not changed. Internally I can access the server using the original IP.

I am a newbie to Cisco, so could you explain how to export the ASA configuration.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 22798556
The easiest way to get the ASA configuration is to use tftp.  Setup a tftp server on your PC, then ssh to the ASA box, and issue the command:

    copy running tftp:

Then fill the required information as prompted.  Then you can use a text editor (write/wordpad/winword) to edit the file to just get the necessary parts.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 7

Expert Comment

by:geergon
ID: 22805026
Hi! Sir!

Please post the configuration of the ASA, maybe the lines you think are involved.
My recommendation is to troubleshoot this thing with captures and the packet-tracer command.

I mean use an access list to specify the interesting traffic. Source to destination and destination to source.
Then bind this AC with a capture in Outside interface or inside, depends of what you want also you can capture one of the servers that works. Then you can see if the packets arrives.

Or maybe you can simulate a packet to see in what step the packet is dropped by the firewall. with packet-tracer command. It could be anything please add more details. NAT you are using, access lists, ...

Bye
0
 

Author Comment

by:saintboxer
ID: 22909763
We restarted the firewall and everything started working again. Not sure why it quit working in the first place.

Thanks for the comments
0
 
LVL 57

Expert Comment

by:giltjr
ID: 22909986
My guess is that  somebody changed something and did not do a write.  So when you restarted the firewall the working config got reloaded.

Do you have anything that monitors and logs configuration changes and who made them?
0
 

Accepted Solution

by:
saintboxer earned 0 total points
ID: 23220281
No we do not monitor configuration changes.
I will consider this question closed.

Thanks for the comment.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SSG50 Firewall Rules 17 44
Password recovery 2960S 4 35
Turning Verizon Fios Router into a Bridge? 28 61
Check Spoof email 6 28
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question