asymmetric NAT problems

Similar Questions

• asymmetric NAT failure

  IAM having a problem of NAT rule asymmetrical between the DMZ and VPN client on a 8.2 (5) ASA. We used to have a two ASAs a VPN client and one for the main firewall. In the old configuration the client VPN ASA has routed CVPN traffic through the network on the main firewall, so it could be filtered via a content engine. As you guess split tunneling is disabled in old and new configs. I recently grouped these two in a HA pair, terminated the VPN client on the cluster with the main firewall and used the road inside 0.0.0.0 0.0.0.0 10.100.18.1 (basic router) by command so that traffic would be routed through the core so it can be filtered using the internet on C - VPN. NAT 0 and rules are passed on to the fine. Everything else works fine access inside resources and internet connectivity

  March 25, 2012 20:06:23: % 305013-5-ASA: rules asymmetrical NAT matched for flows forward and backward; Connection for icmp outside src: 10.100.120.29 DMZ:10.100.150.105 (type 8, code 0) dst refused because of the failure of reverse path of NAT

  routes:

  Route outside 10.100.120.0 255.255.255.0 Gateway-RTR-INTERNET

  Route inside 0.0.0.0 0.0.0.0 10.100.18.1 in tunnel

  Route outside 0.0.0.0 0.0.0.0 INTERNET-RTR-gateway

  Route inside 10.0.0.0 255.0.0.0 10.100.18.1

  Since it is in the tunnel should I me 10.100.120.0 inside?

  The strange thing is that the traffic on the internet is not removed due to the failure of nat.

  Reverse IP check is disabled on all interfaces.

  Hello

  You can apply ACLs for traffic VPN Client directly on the SAA and do not run within the network for this. Or did I get something wrong?

  The easiest way would be just to have the default route pointing to the outside. When adding 'set reverse-road' for "crypto map" configurations, the ASA would then also inject a route to the address pool customer VPN to ASA routing table when you have a user logged on to the ASA via the VPN.

  If you need to do nat for Internet access you can always do it like this:

  "nat (outside) 1 x.x.x.x y.y.y.y".

  Also, you can apply a filter ACL to your VPN Client connections in order to limit this kind of connections they can take. For example freely leave the DNS and HTTP/HTTPS, but blocks access to a part of your internal network.

  -Jouni

• Vuze download is very slow... He pointed out that I have a nat problem

  nat problem?

  Vuze download is very slow... He pointed out that I have a nat problem... Help please.?

  Hello

  ·        What browser do you use to access the internet?

  ·        What is the full error message that you receive?

  ·        Is it only when you download on Vuze?

  I suggest that temporarily disable you antivirus software and firewall installed on your computer and check to see if it helps:

  Disable the anti-virus software

  http://Windows.Microsoft.com/en-us/Windows-Vista/disable-antivirus-software

  Enable or disable Windows Firewall
   http://Windows.Microsoft.com/en-us/Windows-Vista/turn-Windows-Firewall-on-or-off

  Note: disabling anti-virus or Windows Firewall can make your computer (and your network, if you have one) more vulnerable to damage caused by worms or hackers.

  You can also post your query on Vuze forum to get help:

  http://Forum.Vuze.com/index.jspa

• Asymmetric NAT rules

  I am trying to configure another ipsec VPN group and political.  So far, I can communicate with her, and I can ping the ASA 5505, but nothing else inside.  The funny this is that I have another configuration group and the policy that works very well.  I tried to imitate him, but I can't understand what I'm doing wrong.  I get this error in the log:

  Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.4.71.104 inside: 10.4.70.2 (type 8, code 0) rejected due to the failure of reverse NAT.

  A network diagram is attached.  Thanks for your help.

  Andy,

  Yes 8.3 makes a difference

  Well I can suggest a few ways out of it.

  And that's what you need to add... kind of nat provides previous versions.

  NAT (inside, all) source static obj - 10.4.70.0 obj - 10.4.70.0 destination static obj - 10.4.71.0 obj - 10.4.71.0

  Edit: fixed IP addresses. If 10.4.70.0/24 is local and remote 10.4.71, you need to add an exemption here.

• % 305013-5-ASA: rules asymmetrical NAT matched for flows forward and backward; Connection refused because of the failure of the path opposite. NAT VPN clients problems after that put 8.3.2 to level.

  I've recently updated to 8.3.2 and I have been informed of these NAT changes, but even after reading the https://supportforums.cisco.com/docs/DOC-12569 I am still unable to rectify the communication network 192.168.100.0 VPN with hosts on 172.16.1.0 and 172.16.9.0. VPN clients connect to the external interface, and I try to ping inside and the demilitarized zone, respectable 172.16.1.0 and 172.16.9.0 hosts. VPN client shows that the two previously mentioned networks such as roads of security, but still not to the ping pong.

  # sh nat

  Manual NAT policies (Section 1)

  1 (inside) to the (whole) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0

  translate_hits = 0, untranslate_hits = 0

  2 (inside) to the (whole) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0

  translate_hits = 0, untranslate_hits = 0

  3 (inside) to the (whole) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - 172.16.12.0 obj - one-way 172.16.12.0

  translate_hits = 0, untranslate_hits = 0

  4 (dmz) to (outside) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0

  translate_hits = 0, untranslate_hits = 0

  5 (dmz) to (outside) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - 172.16.12.0 obj - one-way 172.16.12.0

  translate_hits = 0, untranslate_hits = 0

  Auto NAT policies (Section 2)

  1 (dmz), to the source (external) static obj - 172.16.9.5 interface tcp www www service

  translate_hits = 0, untranslate_hits = 142

  2 (dmz) (outdoor) source static obj - 172.16.9.5 - 01 interface service tcp 3389 3389

  translate_hits = 0, untranslate_hits = 2

  3 (dmz) (outdoor) source static obj - 172.16.9.5 - 02 interface tcp ldap ldap service

  translate_hits = 0, untranslate_hits = 0

  4 (dmz) (outdoor) source static obj interface - 172.16.9.5 - 03 service ftp ftp tcp

  translate_hits = 0, untranslate_hits = 0

  5 (dmz) to (outside) of the source static obj - 172.16.9.5 - 04 interface tcp smtp smtp service

  translate_hits = 0, untranslate_hits = 267

  6 (inside) source static obj - 172.16.9.0 172.16.9.0 (dmz)

  translate_hits = 4070, untranslate_hits = 224

  7 (inside) to (dmz) source static obj - 10.1.0.0 10.1.0.0

  translate_hits = 0, untranslate_hits = 0

  8 (inside) to (dmz) source static obj - 172.16.0.0 172.16.0.0

  translate_hits = 152, untranslate_hits = 4082

  9 (dmz) to dynamic interface of the obj - 172.16.9.0 - 01 source (outdoor)

  translate_hits = 69, untranslate_hits = 0

  10 (inside) to the obj_any interface dynamic source (external)

  translate_hits = 196, untranslate_hits = 32

  I think you must following two NAT config

  NAT (inside, outside) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - 192.168.100.0 obj - 192.168.100.0
  NAT (dmz, external) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - 192.168.100.0 obj - 192.168.100.0

  Please configure them and remove any additional NAT configuration and then try again.

• Open with a Xbox NAT problems.

  When I got my 1900ac I used Media Priortization to get NAT open for Call of Duty Advanced Warfare on my Xbox One. prioritize the Xbox. It worked fine for about 6 months until what I changed my operator of cable/net of Nextech in Ks. This company uses the 1900ac to connect its system to all it's customers (since I already had one they use mine). Unfortunately, I am unable to get an open NAT in this game I tried almost everything, NAT forwarding, triggering, prioritization of the media. Support of NexTech & Xbox Live support, useless. I tried Portforward. com, nothing. Redirect port 53 breaks the connection to the network & making the static ip address change for Xbox has not helped. Almost everything I looked at seem obsolete & I am at my wits end. It would seem by now Linksys should have available solutions, any ideas?

  Chin_pamz13 thank you very much for your answer. I tried to check if my modem had a public or private ip address, but I don't know how to do this; I read on double NAT elsewhere. Nevertheless, I think I finally found a solution that seems to work so far. I went to the website "tech - recipes.» com "& found an article, 'Xbox one open NAT' by Aaron St. Clair.» I tried his first suggestion regarding the port of release, with additional ports I had'nt seen before. Who has not worked for me so I followed his instructions to the Xbox in the demilitarized zone & it works! I think that my problems from before were the result of bad to configure the static ip address for my router & Xbox. The previous instructions had me change the ip in the console with the router. Aaron said does not do in the Xbox, leave the router to do the work, it's supposed to do & make sure the console settings are on automatic. In the router in the DMZ, I was'nt sure how to proceed, but at the bottom is a section called list of reservations DHCP; clicked on this, XboxOne saw, clicked on that & he filled the top for me MAC address. Then I went to network settings Xbox, advanced & clicked settings on "automatic" to the ip address, subnet and DNS. I checked the connections mutiplayer, toured "hold bumper & trigger buttons" & finally got a NAT open; pulled up to cod Advanced Warfare & also got open NAT it. I could have screwed up when I did the port triggering, but given the difficulty of the DMZ seems to work I'll let things alone. Hope this helps anyone else having problems NAT open.

• E1000 2.1 and the xbox live NAT problem (I read all the others)

  So like everyone, im having troublewith xbox live and NAT, but I feel my situation of dns is unique, so my solution is perhaps just as well. Help, please

  Modem-> Router (e1000)-> port 1 (wired): xbox, wireless: mac computer

  Configuration: Auto DHCP

  MTU: tried 1365 and 1452, currently on 1452

  UPnP: off

  NAT: on

  Port Range Forwarding - (tried reccomendations cisco and xbox, tried the verses of individual ports this range, currently at)

  (looked in the outbreak, but as I have 2 devices, if I let a range of open ports, I want that it does match the xbox)

  Application: xbox

  Start port: 53

  End port: 3074

  Protocol: the two

  IP address: 192.168.1.20

  Xbox is set to:

  IP: 192.168.1.20

  Subnet mask: 255.255.255.0

  Gateway: 192.168.1.1

  DNS: automatic

  reading only 1 dns (see notes)

  Notes:

  router port range is 100-149, so DHCP should not be a problem (I guess) if ip xbox is put out of reach ([192.168.1.20] being 20)

  In my status tab in the router, it gives me only a dns. When I look at online modem, it gives 2 different DNS.

  Each time, I have everything works a turn at a time, the computer always connects, Xbox Live still connects, but he still has the problem of nat.

  I don't think it's a matter of double nat, bc when I look at the stats of my modem there is nowhere to configure ports (seems to be the modem only 1 Ethernet only)

  Also, I noticed that the mtu of my modem is 1500 (I changed the mtu on the router, but not the mtu of my modem [it only allows me to change the mtu of my modem])

  Help, please. I've been dealing with it and try different combinations of ports and options for 4-5 hours now. I'm starting to crack: S :).

  Well, I found my own solution.  I looked at all options as what could be easier for the components to deal with.  Here's what worked:

  Computer:

  Configuration: Auto DHCP

  MTU: 1452

  UPnP: on

  NAT: on

  DMZ:

  Source: 192.168.1.100 to 100

  Destination: 192.168.1.1

  Xbox:

  I could leave it on auto dhcp mac address book bc but it looks like this:

  IP:192.168.1.100

  Subnet mask: 255.255.255.0

  Gateway: 192.168.1.1

  DNS: automatic

  Combined with a DHCP reservation [via the mac address (for the safety of the DMZ)] all of it worked.  With a DMZ, I didn't have to worry about which ports where correct.  It was just messy because I was 2 devices of connection and could not choose a single static ip address. So, the example ip ending (20) was not default range of the router of 50 numbers. Pay attention to your range of ip addresses in the router settings.

  * Make sure that your DMZ is on only a single or a partition of ip addresses, and you have other DHCP reservations for these ip addresses * you can find the mac address for xbox by accessing the network > configure network > additional settings > click Advanced settings, and not choose a 'different address', you should see a below *.

• NAT problem

  Hi Experts,

  One of my office have Cisco ASA 5510 with ios 8.4 (5). Everything is configured and works very well except the static NAT. I have a public IP block, I used to set up static NAT.  The internal server that is configured with the static NAT does not receive internet or anything. When I removed the static NAT, the internet is to learn (with the WAN IP interface). The server is placed in the DMZ. I left the server but it does not work.

  Kind regards

  MARTIN

  Hello

  In your case the configuration format static NAT for the server would be

  network of the object

  This would bind the local IP address of the public IP configured on the command "nat" . This means that outgoing connections would also use this public IP address. If you had a static configuration similar PAT already then you wouldn't really need that UNLESS you change the mapped/local port in the "nat" command.

  But set up static NAT would mean already that he would cancel the PAT Dynamics for outbound connections from this server. Naturally, there is a small chance according to your current configuration of NAT complete even this static NAT can be overridden, but I doubt it. If the above "packet - trace" is intended for the DMZ server in question then there should be no problem.

  -Jouni

• NAT problem? Large amount of NAT translations.

  I have a client with a particular site who complains constantly of performance.

  They have a 871 at the location remote with 4 tunnels IPsec, built over WAN connections to their provider hosting the database and software.

  There are about 50 people who work at this place, but I show 3410 current connections with a peak of 14703. I don't see how that's possible with only 50 people and starts to lean towards the NAT config which can be the cause of the poor performance that users encounter.

  Auffen_Washington #show ip nat statistics
  Total active translations: 3410 (static, dynamic 0 3410; 3410 extended)
  Translations of crete: 14703, took place there is 2d05h
  External interfaces:
  FastEthernet4, Tunnel401, Tunnel0, Tunnel11, Vlan3, Tunnel101, Tunnel201
  Tunnel301
  Interfaces in reverse:
  Vlan1, Vlan2
  Hits: 574573468 Misses: 0
  CEF translated packages: 566630850, CEF punted packets: 45186206
  Expiry of the translations: 10381404
  Dynamic mappings:
  -Source inside
  [Id: 1] access-list interface Loopback1 refcount NAT_Wireless_DMS 0
  [Id: 2] NAT_Failover interface Vlan3 refcount route map 0
  [Id: 3] NAT_Primary interface FastEthernet4 refcount 3410 route map
  Doors appl: 0
  Normal doors: 0
  Queuing of packets: 0

  Any help would be greatly appreciated.

  Thank you

  Russell Stamey

  NAT translations, by default, remain active for a very long time. If I remember correctly, is 24 hours, but I have to what to look for to be sure. They don't take a lot of memory, so this isn't normally a problem, but if you encounter conditions that you think may be due to this, it is quite easy to limit the wait time.

   ip nat translation timeout 1800

  This will set the timeout for new connections to half an hour. Existing connections will always keep the original deadlines, then you might want to wait a period of slow to change and the issue a "clear the ip nat translation *" right then to clear existing translations.

• NAT problems

  I've implemented a Cisco ASA 5505 partially. We have access to the internet and can come out without any problem. We have a web server that is on a 2nd IP that I need NAT inside. I did previously on a pix, but for the life of me I can't make it work.

  I do not use a DMZ for that. I don't have time to re - ip to the web server on a different subnet. I just need to get this working so that the site works.

  Hi David,

  Here's how to

  public static publicIP (indoor, outdoor) webserverip netmask 255.255.255.255

  outside_access_in list access permit tcp any host publicip eq www

  Access-group outside_access_in in interface outside

  "We have a web server that is on a 2nd IP that I need NAT inside."

  If you want to say is, ' your Web server is inside the interface, but not in the same subnet with inside the IP interface ", then what you have to do is create void interfaces. Then place the name of subinterface in above static, instead "inside" and set the gateway on the Web server as void / IP of the interface

  Concerning

• Tunnel + static NAT problem

  Hello:

  I configured a Pix501 to establish a tunnel from site to site with a 1710 in the central site and it works fine, except for a small problem. The central site hosts a Domino server that must have an entry static nat to allow servers on the internet to deliver mail to it. So, the problem is that even though I created a road map to avoid NAT in site traffic to site, the static entry seems a priority on the road map and the mail server is always using a NAT. So the SOHO cannot access to him. What can I do to fix this?

  I need to use an entry like this:

  IP nat inside source static tcp 172.16.34.22 1352 200.212.0.66 1352

  Any help?

  Thank you

  You must do the following:

  (1) create a loopback interface with an ip subnet that you are not anywhere in your network. Leave; s 10.10.10.0/30 say:

  loop int 0

  IP 10.10.10.1 255.255.255.252

  (2) create a roadmap to match traffic from the 172.16.34.22 Server destination and from the other side of the tunnel

  access-list 101 permit ip 172.16.34.22 host 192.168.0.0 255.255.255.0

  permissible static route map 10

  corresponds to the IP 101

  set ip 10.10.10.2 jump following (some address to the loopback interface)

  (3) implementing the road map inside the interface of the router where you have the server

  inter e0/0

  Static IP policy route map

  That's all

  Hope that helps

  Jean Marc

• ASA 8.3 - SSL VPN - NAT problem

  Need help to find how to configure anyconnect VPN with VPN client using a NAT networking internal.

  There are many items on the side - how to disable NAT for vpn pool.

  I need to create the gateway VPN to the complex international lnetwork, vpnpool is out of range of regular subnet of that network, so it's going to be questions witout NAT routing.

  I so need to vpn clients connected to be PATed to . The problem is that there is also a dynamic to PAT rule for the ordinary acccess Iternet which translates as 'rules NAT asymmetry... "error.

  Create two times different NAT rules and moving them on up/down makes no difference. There are also some hidden rules of vpn setup :-(that could not be seen.

  V8.3 seems is destroying trust in Cisco firewall...

  Thank you.

  Stan,

  Something like this works for me.

  192.168.0.0/24---routeur--172.16.0.0/24 ASA-= cloud = host. (the tunnel he get IP address of 'over' pool, which is also connected to the inside)

  BSNs-ASA5520-10 (config) # clear xlate
  INFO: 762 xlates deleted
  BSNs-ASA5520-10 (config) # sh run nat
  NAT (inside, outside) static all of a destination SHARED SHARED static
  !
  NAT source auto after (indoor, outdoor) dynamic one interface
  BSNs-ASA5520-10 (config) # sh run object network
  network of the LOCAL_NETWORK object
  192.168.0.0 subnet 255.255.255.0
  The SHARED object network
  172.16.0.0 subnet 255.255.255.0
  BSNs-ASA5520-10 (config) # sh run ip local pool
  IP local pool ALL 10.0.0.100 - 10.0.0.200
  local IP ON 172.16.0.100 pool - 172.16.0.155
  BSNs-ASA5520-10 (config) # sh run tunne
  BSNs-ASA5520-10 (config) # sh run tunnel-group
  attributes global-tunnel-group DefaultWEBVPNGroup
  address pool ON

  If I get your drift... bypass inside and outside is not really necessary on Cisco equipment as it should work straight out of the box via the proxy arp, but I'm not face or solution providers for remote access.

  Marcin

• PAT NAT problems,

  Hello

  My client has a PIX 520. Here is the config.

  Global (outside) 20 214.39.43.41 - 214.39.43.101

  Global (Dmz) 10 11.254.254.31

  Global (clients) 20 11.151.4.51 - 11.151.4.101

  NAT (inside) 20 161.2.2.177 255.255.255.255 0 0

  NAT (inside) 20 161.2.2.180 255.255.255.255 0 0

  NAT (inside) 10 0.0.0.0 0.0.0.0 0 0

  NAT (Dmz) 20 0.0.0.0 0.0.0.0 0 0

  The 161.2.2.177 device (server) is inside the interface. The config above, that this device will be NAT/PAT would have for outgoing interfaces i.e.

  (Inside) 161.2.2.177, NAT'd (214.39.43.41 - outdoor 214.39.43.101)

  (Inside) 161.2.2.177, NAT'd 11.151.4.51 - 11.151.4.101 (customers)

  (Inside) 161.2.2.177, PAT'd (DMZ) 11.254.254.31

  The Xlate table, 161.2.2.177 is THAT NAT would have for outdoor & customer interfaces, but PAT translation does not work!

  PAT test I used a PC inside the DMZ ping and the PC are PAT had to 11.254.254.31.

  Statically mapping 161.2.2.177 to an address on the DMZ also works. But PAT for this device does not work!

  Until PAT previously for this unit on the demilitarized zone have worked, no configuration change has attempted all the PIX.

  Has anyone encountered this problem before?

  Thanks for your help

  The 161.2.2.177 address is excluded because you have this:

  > nat (inside) 20 161.2.2.177 255.255.255.255 0 0

  Any package that inside the host will always use this nat statement since it is the most specific, there a nat 20 id, so you need a command of "global (dmz)" corresponding with the id - nat 20 also.

• IPsec client for s2s NAT problem

  Hello

  We have a remote site (Paris) with a 5512 with some s2s and RA light customer vpn (anyconnect IPsec) tunnels.  AnyConnect has no problem, but the ipsec client can not pass traffic on the LAN.  The subnet behind the fw is 10.176.0.0/16 and the RA 10.172.28.0/24 customer pool.  However, we have a s2s than nat 10.0.0.0/8 tunnel and it appears that customers vpn IPSEC RA being bound traffic matches this rule and prevents connectivity to local resources via vpn ipsec client.

  ......

  hits = 485017, user_data = 0x7fffa5d1aa10, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol

  IP/ID=10.176.0.0 SRC, mask is 255.255.0.0, port = 0

  IP/ID=10.0.0.0 DST, mask is 255.0.0.0, port = 0, dscp = 0 x 0

  input_ifc = inside, outside = output_ifc

  ...

  Manual NAT policies (Section 1)

  1 (outdoor) static source Paris_Network Paris_Network static destination Remote2_LAN_Networks Remote2_LAN_Networks non-proxy-arp-search to itinerary (inside)

  translate_hits = 58987, untranslate_hits = 807600

  2 (inside) (outside) static source Paris_Network Paris_Network static destination DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2-route search

  translate_hits = 465384, untranslate_hits = 405850

  3 (inside) (outside) static source Paris_Network Paris_Network static destination Remote1_Networks Remote1_Networks-route search

  translate_hits = 3102307, untranslate_hits = 3380754

  4 (outside) (inside) static source Paris_RA_VPN Paris_RA_VPN static destination Paris_Network Paris_Network-route search

  translate_hits = 0, untranslate_hits = 3

  This method works on other sites with almost identical configuration, but for some reason, it doesn't work here.  I can't specify different subnets for the s2s tunnel because there is too much of.  Can someone help me and tell me why I can't get this to work?

  Hello

  So you're saying that the AnyConnect is working but not IPsec? What is the the AnyConnect VPN? It is outside the 10.0.0.0/8 network?

  You should be able to substitute the NAT VPN L2L configuration by simply configuring a separate NAT for the local network for VPN pool traffic at the top of your NAT configurations

  For example

  being PARIS-LAN network

  10.176.0.0 subnet 255.255.0.0

  object netwok PARIS-VPN-POOL

  10.172.28.0 subnet 255.255.255.0

  NAT (inside, outside) 1 static source PARIS PARIS - LAN LAN destination PARIS-VPN-POOL PARIS-VPN-POOL static

  This should ensure that the first rule on the SAA is the NAT rule that matches the VPN Client for LAN traffic. Other aircraft in the L2L VPN should still hit the original NAT rule to the VPN L2L

  If this does not work then we must look closer, the configuration.

  Hope this helps

  Remember to mark a reply as the answer if it answered your question.

  Feel free to ask more if necessary

  -Jouni

• Static NAT problem with PIX501

  Hi all

  We have problems with our PIX firewall. We have configured PIX 501 with static NAT for our Web server. Here's the running configuration.

  6.3 (4) version PIX

  interface ethernet0 car

  interface ethernet1 100full

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  pixfirewall hostname

  domain ciscopix.com

  fixup protocol dns-length maximum 512

  fixup protocol ftp 21

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol http 80

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol sip 5060

  fixup protocol sip udp 5060

  fixup protocol 2000 skinny

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol tftp 69

  names of

  access-list 101 permit tcp any host x.x.x.26 eq www

  access-list 101 permit tcp any host x.x.x.26 EQ field

  access-list 101 permit udp any host x.x.x.26 EQ field

  pager lines 24

  Outside 1500 MTU

  Within 1500 MTU

  IP address outside x.x.x.28 255.255.255.248

  IP address inside 192.168.90.1 255.255.255.0

  alarm action IP verification of information

  alarm action attack IP audit

  location of PDM 192.168.90.0 255.255.255.0 inside

  history of PDM activate

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

  static (inside, outside) x.x.x.26 192.168.90.3 netmask 255.255.255.255 0 0

  Access-group 101 in external interface

  Route outside 0.0.0.0 0.0.0.0 x.x.x.25 1

  Route inside 192.168.1.0 255.255.255.0 192.168.90.2 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  AAA-server GANYMEDE + 3 max-failed-attempts

  AAA-server GANYMEDE + deadtime 10

  RADIUS Protocol RADIUS AAA server

  AAA-server RADIUS 3 max-failed-attempts

  AAA-RADIUS deadtime 10 Server

  AAA-server local LOCAL Protocol

  Enable http server

  http 192.168.90.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  No trap to activate snmp Server

  enable floodguard

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  Terminal width 80

  : end

  the problem is the configuration, we are unable to access the web server both inside and outside the network.

  All input will be greatly appreciated.

  Kind regards

  udimpas

  activate icmp backtrace and then ping the x.x.x.26 of the internet. the output should be as below:

  3363574:-out ICMP echo request: ID = 21834 seq = 1202 length = 80

  3363575: ICMP echo request: external untranslating: inside: 192.168.90.3

  3363576: ICMP echo-reply from the inside: 192.168.90.3 ID = 21834 seq = 1202 length = 80

  3363577: response to ICMP echo -: translate inside: 192.168.90.3 out:

  by doing this, you can 1. Check the nat 2. If the server responds to the internet.

  do not forget to allow incoming icmp:

  access-l 101 permit icmp any one