Static NAT issues on ASA 8.4(2)

I am trying to setup a static NAT for a new server that will be providing HTTPS services. I'm not really an ASA guy, but It seems pretty straightforward.... and even after running the packet tracer everything shows like it should be working...however when I try to access the server externally it doesn't respond. Also Interestingly the server itself is unable to access the Internet when the NAT statements are present. I can see the Hit lists show access on the ACL as well.

I'm not sure if there is something strange going on because the ASA inside network is actually being routed to from a core 3750X switch stack that the server itself is addressed/connected to? If so I'm not sure to correct it. I did check routes and 0.0.0.0 on that core stack is routed to the inside IP of the ASA. The Core switch and ASA are directly connected on a separate VLAN.

Any help is appreciated.

Here are the details, also tried creating and recreating numerous times w/ different options.. (Server in question Public IP 1.x.x.154, and Private IP is 10.x.x.43)

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 1.x.x.148 255.255.255.240 standby 1.x.x.156

interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 172.x.x.1 255.255.255.0 standby 172.x.x.2

interface Ethernet0/2
 nameif dmz
 security-level 50
 ip address 192.x.x.1 255.255.255.0 standby 192.x.x.2

object network new-server
 host 10.x.x.43

access-list inside_in extended permit ip object new-server any

access-list outside_in extended permit tcp any object new-server eq https

object network new-server
 nat (inside,outside) static 1.x.x.154 dns

Packet tracer test:

Result of the command: "packet-tracer input outside tcp 8.8.8.8 12345 1.x.x.154 https"

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network new-server
 nat (inside,outside) static 1.x.x.154 dns
Additional Information:
NAT divert to egress interface inside
Untranslate 1.x.x.154/443 to 10.x.x.43/443

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_in in interface outside
access-list outside_in extended permit tcp any object new-server eq https
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network new-server
 nat (inside,outside) static 1.x.x.154 dns
Additional Information:

Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 129372750, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
InnovativeiiAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RafaelCommented:
What does your debug log show? did you use the wizard to set up the nat and is the natted IP address in your objects?
1
Pete LongTechnical ConsultantCommented:
Your static looks fine,

I'm assuming the firewall can ping the web server on 10.x.x.43 ?
And the Web servers default gateway is the 3750-X?
And the 3750-X default route is pointing to the ASA on 172.x.x.1?


Pete
1
InnovativeiiAuthor Commented:
Rafael, Yes the Natted IP is in the object. I didn't use the wizard to setup the NAT. I've not used the debug log before so I'm not sure on that part.

PeteLong,

Yes the firewall can ping the web server, and vica-versa. The webserver's default gateway is the 3750-X, and that switch stack's route for 0.0.0.0 is the ASA on the 172 address. The 3750-X has a VLAN interface in that same 172 network.
0
InnovativeiiAuthor Commented:
Hi Guys, I found out the cause of my issue was these guys had an external device outside the firewall utilizing the IP i was using! All is working as expected now.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
InnovativeiiAuthor Commented:
External device was using the IP addresss referenced in the NAT.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.