Solved

troubleshoot NAT

Posted on 2008-10-24
7
1,392 Views
Last Modified: 2012-05-05
I have a NAT rule setup on the firewall our ASA 5510 that doesn't seem to be working all of a sudden, but all other rules are. When my external users try to access the internal app server by going to the web address or IP address it just times out. Internally everyone can get to the server either by IP or by name so I know the server is up and working. My external users can get to OWA and other app servers by web address or IP, but just not this one that is having a problem.

Externally, I cannot ping this one server by web address or IP, but I can successfully ping all other app servers.  No configuration changes have been made on the firewall or on the server. I have already restarted the server and I am still not able to access it from outside the firewall.

Any help would be appreciated. Thanks!
0
Comment
Question by:saintboxer
  • 3
  • 3
7 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 22798238
So you are saying that it was working and now it is not?

What changes were made to the ASA configuration between the time it was working and now?
What changes were made to the server between the time it was working and now?

Could the servers inside address have changed and so the ASA box is NAT'ing the wrong internal address?

Can you post (cleaned up of course) all relevant ASA configuration information?
0
 

Author Comment

by:saintboxer
ID: 22798525
Yes, it was working yesterday and today it stopped working.

No configuration changes have been made on the firewall or on the server.

The internal IP has not changed. Internally I can access the server using the original IP.

I am a newbie to Cisco, so could you explain how to export the ASA configuration.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 22798556
The easiest way to get the ASA configuration is to use tftp.  Setup a tftp server on your PC, then ssh to the ASA box, and issue the command:

    copy running tftp:

Then fill the required information as prompted.  Then you can use a text editor (write/wordpad/winword) to edit the file to just get the necessary parts.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 7

Expert Comment

by:geergon
ID: 22805026
Hi! Sir!

Please post the configuration of the ASA, maybe the lines you think are involved.
My recommendation is to troubleshoot this thing with captures and the packet-tracer command.

I mean use an access list to specify the interesting traffic. Source to destination and destination to source.
Then bind this AC with a capture in Outside interface or inside, depends of what you want also you can capture one of the servers that works. Then you can see if the packets arrives.

Or maybe you can simulate a packet to see in what step the packet is dropped by the firewall. with packet-tracer command. It could be anything please add more details. NAT you are using, access lists, ...

Bye
0
 

Author Comment

by:saintboxer
ID: 22909763
We restarted the firewall and everything started working again. Not sure why it quit working in the first place.

Thanks for the comments
0
 
LVL 57

Expert Comment

by:giltjr
ID: 22909986
My guess is that  somebody changed something and did not do a write.  So when you restarted the firewall the working config got reloaded.

Do you have anything that monitors and logs configuration changes and who made them?
0
 

Accepted Solution

by:
saintboxer earned 0 total points
ID: 23220281
No we do not monitor configuration changes.
I will consider this question closed.

Thanks for the comment.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now