Cannot reach NAT'd server

[stubnski]

Hi all,
I hope someone can give me any ideas on what is happening. I hope I can explain it well enough for any of you to understand.

The problem is I cannot access a NATed server from the same subnet as the NAT.
ex - public IP address subnet - 200.200.200.1 /28
ASA 5520 version 8.0(3)(doing the nat) - 200.200.200.2
Nated server - 200.200.200.3
Test PC - 200.200.200.4

I can access the server from anywhere else in the world (at least in the US as I've tested it while on vacation) but for the life of me I am not able to figure out why I cannot access the NAT from the same subnet. I am using a test PC with an external address to do the testing.

I have no access list limiting IP ranges.

Any ideas anyone? Thank you for any help you can provide


Stubnski

 

[Supergrrover]

So you are on the outside of the ASA on the same subnet as your external addresses? What is the default gateway of the PC you are using (what does it's routing table look like?) Are you trying to use the public IP or the internal real ip of the server when you try to connect?

Post a scrubbed config (mask passwords and the middle 2 octets of public IPs)



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[stubnski]

Supergrrover -
Thanks for the reply and the help. To answer your questions -

>>So you are on the outside of the ASA on the same subnet as your external addresses?

Correct

>>What is the default gateway of the PC you are using (what does it's routing table look like?)

Default gateway on the PC has been both the default gateway of the ASA (ISP router) and the ASA outside interface. I assume you mean the routing table of the ISP router. I have had them make a route for the NAT IP to the ASA's outside interface. When that made no difference I had them change it back to the way it was.

>>Are you trying to use the public IP or the internal real ip of the server when you try to connect?

Public, same URL I use when I access it from home or any other IP other that one subnet.


Very Scrubbed down config -

There is no access list where I restrict an IP. I only restrict protocols.


ASA Version 8.0(3)
!

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 200.200.200.2 255.255.255.240
ospf cost 10
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.38.121.48 255.255.255.0 standby 172.38.121.49
ospf cost 10
!
interface GigabitEthernet0/2
description LAN/STATE Failover Interface
!
interface GigabitEthernet0/3
nameif DMZ
security-level 50
ip address 10.40.40.41 255.255.255.0
ospf cost 10
!
interface Management0/0
nameif management
security-level 75
no ip address
ospf cost 10
!
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
global (outside) 2 200.200.200.10 netmask 255.255.255.240 (internet access)
global (outside) 3 200.200.200.9 netmask 255.255.255.240 (DMZ access)
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 0.0.0.0 0.0.0.0
static (inside,outside) 200.200.200.3 192.168.192.10 netmask 255.255.255.255
:end


Stubnski

 

[Supergrrover]

If you can reach it from the internet but not attached to that subnet then it sounds like the DNS isn't resolving. Does the DNS resolve in a ping? Try it by the public IP and not the DNS name and see if that works. It looks like the config (from what you've posted) is ok.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[stubnski]

I cannot get to it by IP or DNS. Ping resolves the DNS name. It's had me scratching my head for awhile. I've had Cisco look at my ASA and they say it's configured correctly. The service tech unfortunately did not have any idea what could be causing this issue.


Stubnski

 

[Supergrrover]

what do the logs say when you try to connect to it like that? spin up the asdm and watch it live when you yet to connect to see what's going on.



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[stubnski]

Here is the log. It shows the connection being established.


Severity Date Time Syslog ID Source IP Destination IP Description
6 Oct 17 2008 13:51:22 302013 200.200.200.4 192.168.192.10 Built inbound TCP connection 4145035 for outside:200.200.200.4/1074 (200.200.200.4/1074) to inside:192.168.192.10/443 (200.200.200.3/443)


Stubnski

 

[Supergrrover]

so are you getting guys on the box? is the return traffic in the asa log?


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[Supergrrover]

sorry, "hits" on the internal server.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[stubnski]

That is the one thing I cannot confirm with my own eyes. The server is a vendor controlled box. I've been told that it is setup correctly and that there is nothing blocking IP's. I was also told that if there was something mis-configured then it wouldn't work at all.


Stubnski

 

[Supergrrover]

Ok, get a box that you've setup and give it that ip and see what happens (unplug the vendor box from the network.) That way you can see what's happening. Try Wireshark or another sniffer on that box to see exactly what's going on.


Brent
Systems Engineer / Consultant
CCNP, CCSP