https://community.cisco.com/t5/network-security/static-pat-for-cisco-asa-5506-to-microsoft-sql-server/m-p/4048932#M1067967 <P>Hello Christian,</P><P>&nbsp;</P><P>Thank you for taking the time to reply.</P><P>&nbsp;</P><P>I want to configure the rule so that any traffic that comes in from my outside interface on port 1433 goes to 192.168.1.10&nbsp;</P><P>&nbsp;</P><P>So it would look like this:</P><P>&nbsp;</P><P><SPAN>67.205.185.195 &gt; 96.70.36.89 &gt; ASA &gt;&nbsp; 192.168.1.10</SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Thu, 19 Mar 2020 20:51:59 GMT arits2004 2020-03-19T20:51:59Z https://community.cisco.com/t5/network-security/static-pat-for-cisco-asa-5506-to-microsoft-sql-server/m-p/4048893#M1067958 <P>I am trying to setup a dynamic nat from a public IP address to an internal IP address to allow access to a Microsoft SQL database. I want to configure this to allow my network object Cybernautic to access the network object&nbsp;MicrosoftSql. This is my current nat statment:</P><P>&nbsp;</P><P>nat (outside,inside_6) source static Cybernautic Cybernautic destination static DC01 DC01 service sql-1433 sql-1433</P><P>&nbsp;</P><P>But I am still unable to access the SQL database remotely. Any ideas?</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Running Config:</P><P>&nbsp;</P><P>ip local pool anyconnect 192.168.2.1-192.168.2.200 mask 255.255.255.0</P><P>!<BR />interface GigabitEthernet1/1<BR />nameif outside<BR />security-level 0<BR />ip address 96.70.36.89 255.255.255.248<BR />!<BR />interface GigabitEthernet1/2<BR />bridge-group 1<BR />nameif inside_1<BR />security-level 100<BR />!<BR />interface GigabitEthernet1/3<BR />bridge-group 1<BR />nameif inside_2<BR />security-level 100<BR />!<BR />interface GigabitEthernet1/4<BR />bridge-group 1<BR />nameif inside_3<BR />security-level 100<BR />!<BR />interface GigabitEthernet1/5<BR />bridge-group 1<BR />nameif inside_4<BR />security-level 100<BR />!<BR />interface GigabitEthernet1/6<BR />bridge-group 1<BR />nameif inside_5<BR />security-level 100<BR />!<BR />interface GigabitEthernet1/7<BR />bridge-group 1<BR />nameif inside_6<BR />security-level 100<BR />!<BR />interface GigabitEthernet1/8<BR />bridge-group 1<BR />nameif inside_7<BR />security-level 100<BR />!<BR />interface Management1/1<BR />management-only<BR />no nameif<BR />no security-level<BR />no ip address<BR />!<BR />interface BVI1<BR />nameif inside<BR />security-level 100<BR />ip address 192.168.1.1 255.255.255.0<BR />!<BR />ftp mode passive<BR />same-security-traffic permit inter-interface<BR />object network obj_any1<BR />subnet 0.0.0.0 0.0.0.0<BR />object network obj_any2<BR />subnet 0.0.0.0 0.0.0.0<BR />object network obj_any3<BR />subnet 0.0.0.0 0.0.0.0<BR />object network obj_any4<BR />subnet 0.0.0.0 0.0.0.0<BR />object network obj_any5<BR />subnet 0.0.0.0 0.0.0.0<BR />object network obj_any6<BR />subnet 0.0.0.0 0.0.0.0<BR />object network obj_any7<BR />subnet 0.0.0.0 0.0.0.0<BR />object network vpn<BR />subnet 10.0.0.0 255.255.255.0<BR />description ahall<BR />object network NETWORK_OBJ_192.168.1.0_24<BR />subnet 192.168.1.0 255.255.255.0<BR />object network NETWORK_OBJ_192.168.2.0_24<BR />subnet 192.168.2.0 255.255.255.0<BR />object network AnyHost<BR />subnet 0.0.0.0 0.0.0.0<BR />object network outsideIP<BR />host 96.70.36.89<BR />object network MicrosoftSql<BR />host 192.168.1.10<BR />object network remoteip<BR />host 50.235.80.83<BR />object network DC01_Outside<BR />host 192.168.1.10<BR />object network ahallvpn<BR />subnet 192.168.0.0 255.255.255.0<BR />object network TS02<BR />host 192.168.1.17<BR />object service RDP<BR />service tcp destination eq 3389<BR />object service sql-1433<BR />service tcp source eq 1433 destination eq 1433<BR />object network Cybernautic<BR />host 67.205.185.195<BR />description cybernautic remote ip address<BR />object-group network DM_INLINE_NETWORK_1<BR />network-object object ahallvpn<BR />network-object object vpn<BR />access-list global_access extended permit ip any any<BR />access-list inside_6_access_in extended permit ip any any<BR />access-list outside_access_in extended permit ip any any<BR />access-list outside_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_1<BR />access-list SplitTunnel standard permit 192.168.1.0 255.255.255.0<BR />access-list SplitTunnel standard permit 192.168.2.0 255.255.255.0<BR />access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object vpn<BR />access-list AnyConnect_Client_Local_Print extended deny ip any4 any4<BR />access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd<BR />access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol<BR />access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631<BR />access-list AnyConnect_Client_Local_Print remark Windows' printing port<BR />access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100<BR />access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol<BR />access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353<BR />access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol<BR />access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355<BR />access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol<BR />access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137<BR />access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns<BR />access-list inside_6_access_out extended permit ip any any<BR />access-list global_access_1 extended permit ip any any<BR />access-list inside_access_in extended permit ip any any<BR />access-list outside_cryptomap_3 extended permit ip 192.168.1.0 255.255.255.0 object vpn<BR />pager lines 24<BR />logging asdm informational<BR />mtu outside 1500<BR />mtu inside_1 1500<BR />mtu inside_2 1500<BR />mtu inside_3 1500<BR />mtu inside_4 1500<BR />mtu inside_5 1500<BR />mtu inside_6 1500<BR />mtu inside_7 1500<BR />icmp unreachable rate-limit 1 burst-size 1<BR />icmp permit any inside<BR />no asdm history enable<BR />arp timeout 14400<BR />no arp permit-nonconnected<BR />arp rate-limit 16384<BR />nat (outside,inside_6) source static Cybernautic Cybernautic destination static DC01 DC01 service sql-1433 sql-1433<BR />nat (any,any) source static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24<BR />nat (any,any) source static vpn vpn no-proxy-arp<BR />nat (any,any) source static ahallvpn ahallvpn no-proxy-arp<BR />!<BR />object network obj_any1<BR />nat (inside_1,outside) dynamic interface<BR />object network obj_any2<BR />nat (inside_2,outside) dynamic interface<BR />object network obj_any3<BR />nat (inside_3,outside) dynamic interface<BR />object network obj_any4<BR />nat (inside_4,outside) dynamic interface<BR />object network obj_any5<BR />nat (inside_5,outside) dynamic interface<BR />object network obj_any6<BR />nat (inside_6,outside) dynamic interface<BR />object network obj_any7<BR />nat (inside_7,outside) dynamic interface<BR />access-group outside_access_in in interface outside<BR />access-group inside_6_access_in in interface inside_6<BR />access-group inside_6_access_out out interface inside_6<BR />access-group inside_access_in in interface inside<BR />access-group global_access_1 global<BR />route outside 0.0.0.0 0.0.0.0 96.70.36.94 1<BR />timeout xlate 3:00:00<BR />timeout pat-xlate 0:00:30<BR />timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02<BR />timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00<BR />timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00<BR />timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute<BR />timeout tcp-proxy-reassembly 0:01:00<BR />timeout floating-conn 0:00:00<BR />timeout conn-holddown 0:00:15<BR />timeout igp stale-route 0:01:10<BR />user-identity default-domain LOCAL<BR />aaa authentication ssh console LOCAL<BR />aaa authentication login-history<BR />http server enable<BR />http 192.168.1.0 255.255.255.0 inside_1<BR />http 192.168.1.0 255.255.255.0 inside_2<BR />http 192.168.1.0 255.255.255.0 inside_3<BR />http 192.168.1.0 255.255.255.0 inside_4<BR />http 192.168.1.0 255.255.255.0 inside_5<BR />http 192.168.1.0 255.255.255.0 inside_6<BR />http 192.168.1.0 255.255.255.0 inside_7<BR />http 66.94.211.96 255.255.255.248 outside<BR />http 75.150.205.88 255.255.255.248 outside<BR />no snmp-server location<BR />no snmp-server contact<BR />service sw-reset-button<BR />crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac<BR />crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac<BR />crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac<BR />crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac<BR />crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac<BR />crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac<BR />crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac<BR />crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport<BR />crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac<BR />crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport<BR />crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac<BR />crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport<BR />crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac<BR />crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport<BR />crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac<BR />crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport<BR />crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac<BR />crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport<BR />crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac<BR />crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac<BR />crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac<BR />crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport<BR />crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac<BR />crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport<BR />crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac<BR />crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac<BR />crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac<BR />crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport<BR />crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac<BR />crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport<BR />crypto ipsec ikev2 ipsec-proposal DES<BR />protocol esp encryption des<BR />protocol esp integrity sha-1 md5<BR />crypto ipsec ikev2 ipsec-proposal 3DES<BR />protocol esp encryption 3des<BR />protocol esp integrity sha-1 md5<BR />crypto ipsec ikev2 ipsec-proposal AES<BR />protocol esp encryption aes<BR />protocol esp integrity sha-1 md5<BR />crypto ipsec ikev2 ipsec-proposal AES192<BR />protocol esp encryption aes-192<BR />protocol esp integrity sha-1 md5<BR />crypto ipsec ikev2 ipsec-proposal AES256<BR />protocol esp encryption aes-256<BR />protocol esp integrity sha-1 md5<BR />crypto ipsec security-association pmtu-aging infinite<BR />crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES<BR />crypto map outside_map 2 match address outside_cryptomap_1<BR />crypto map outside_map 2 set pfs<BR />crypto map outside_map 2 set peer 74.120.200.141<BR />crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5<BR />crypto map outside_map 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES<BR />crypto map outside_map 2 set security-association lifetime kilobytes unlimited<BR />crypto map outside_map 3 match address outside_cryptomap<BR />crypto map outside_map 3 set peer 74.121.200.141<BR />crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5<BR />crypto map outside_map 4 match address outside_cryptomap_3<BR />crypto map outside_map 4 set peer 74.120.200.141<BR />crypto map outside_map 4 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5<BR />crypto map outside_map 4 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256<BR />crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP<BR />crypto map outside_map interface outside<BR />crypto ca trustpoint ASDM_TrustPoint0<BR />enrollment self<BR />subject-name CN=ciscoasa<BR />crl configure<BR />crypto ca trustpool policy<BR />crypto ca certificate chain ASDM_TrustPoint0<BR />certificate 6476485e<BR />308202d4 308201bc a0030201 02020464 76485e30 0d06092a 864886f7 0d01010b<BR />0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648<BR />86f70d01 09021608 63697363 6f617361 301e170d 32303032 32303134 34363235<BR />5a170d33 30303231 37313434 3632355a 302c3111 300f0603 55040313 08636973<BR />636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613082<BR />0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100e0<BR />94ff0dfe fcd1359e 13212381 379cfe06 122c031f dfd20ca1 54391026 63824cb2<BR />0b6ccc60 ce8d90c2 6e33bfc8 beda8c1b e36e416f a3adbfe7 58c95488 97965ccc<BR />b7f8fa61 ec39f8df 33677360 774c5b48 3ce339c4 4e3f4fa6 54691fe3 cc40106f<BR />6a929096 957e68c9 ee12d5fb 1e077973 dd994880 95358bed 14fff76d 584ed2ba<BR />30e23bd4 54025843 0b9b4d53 b001c6bd d78d56de 955bba8f 271e8db4 5f7ee76a<BR />2fbc93d2 07af8dee 1e79ee5c 74cfaefc 535ce9af 36a4b3b3 7b372134 8c0a6a68<BR />87e321ad ad89ef04 c55c6409 df5a13e9 f294da7a bdf2d75c 22f29673 6866d836<BR />a442e1ae ed0877ee 2e3d0949 91efe7de 2b5f21ba 2f282e20 54b7628f 93e70502<BR />03010001 300d0609 2a864886 f70d0101 0b050003 82010100 6f95e318 8162007e<BR />7d0871d5 28b3c3c9 97c02ee1 3034f976 2d2d1a93 4e3446d7 4bf3f8fc b1b8875e<BR />ff227966 94b1f5ff b42a6e8b 8c998020 41a9c586 75c8605f e79e9d0c 1ee4aacc<BR />1457f422 209e1883 cabde9b1 23235a9b ea2c098c 89a71271 27b686cb f0bc991b<BR />7f5416d7 73cf4dc0 bcd880cf 500c2eac 15fa3018 39c148c7 441f0576 8f50fff4<BR />2651dca0 2260d90a 53268be6 113fc7bb 6c7c394d 8b6d6096 7311c32d c3de445b<BR />c899adaf 972c873d 88ec6bce ec3620e4 577e6673 eacbf58f 3e718198 1a421181<BR />597bdafa 1769713a 2ed0b4e2 a6fd329d 79e0a05f 510f788e dfd1c15f b090993f<BR />55ae1b5b abaae30e a92b32fa 7927b76f db9a4aab d2e1c4a2<BR />quit<BR />crypto ikev2 policy 1<BR />encryption aes-256<BR />integrity sha<BR />group 5 2<BR />prf sha<BR />lifetime seconds 86400<BR />crypto ikev2 policy 10<BR />encryption aes-192<BR />integrity sha<BR />group 5 2<BR />prf sha<BR />lifetime seconds 86400<BR />crypto ikev2 policy 20<BR />encryption aes<BR />integrity sha<BR />group 5 2<BR />prf sha<BR />lifetime seconds 86400<BR />crypto ikev2 policy 30<BR />encryption 3des<BR />integrity sha<BR />group 5 2<BR />prf sha<BR />lifetime seconds 86400<BR />crypto ikev2 policy 40<BR />encryption des<BR />integrity sha<BR />group 5 2<BR />prf sha<BR />lifetime seconds 86400<BR />crypto ikev2 enable outside client-services port 443<BR />crypto ikev2 remote-access trustpoint ASDM_TrustPoint0<BR />crypto ikev1 enable outside<BR />crypto ikev1 policy 10<BR />authentication pre-share<BR />encryption aes-256<BR />hash sha<BR />group 2<BR />lifetime 86400<BR />crypto ikev1 policy 20<BR />authentication rsa-sig<BR />encryption aes-256<BR />hash sha<BR />group 2<BR />lifetime 86400<BR />crypto ikev1 policy 40<BR />authentication pre-share<BR />encryption aes-192<BR />hash sha<BR />group 2<BR />lifetime 86400<BR />crypto ikev1 policy 50<BR />authentication rsa-sig<BR />encryption aes-192<BR />hash sha<BR />group 2<BR />lifetime 86400<BR />crypto ikev1 policy 70<BR />authentication pre-share<BR />encryption aes<BR />hash sha<BR />group 2<BR />lifetime 86400<BR />crypto ikev1 policy 80<BR />authentication rsa-sig<BR />encryption aes<BR />hash sha<BR />group 2<BR />lifetime 86400<BR />crypto ikev1 policy 100<BR />authentication pre-share<BR />encryption 3des<BR />hash sha<BR />group 2<BR />lifetime 86400<BR />crypto ikev1 policy 110<BR />authentication rsa-sig<BR />encryption 3des<BR />hash sha<BR />group 2<BR />lifetime 86400<BR />crypto ikev1 policy 130<BR />authentication pre-share<BR />encryption des<BR />hash sha<BR />group 2<BR />lifetime 86400<BR />crypto ikev1 policy 140<BR />authentication rsa-sig<BR />encryption des<BR />hash sha<BR />group 2<BR />lifetime 86400<BR />telnet timeout 5<BR />ssh stricthostkeycheck<BR />ssh 66.94.211.96 255.255.255.248 outside<BR />ssh 75.150.205.88 255.255.255.248 outside<BR />ssh timeout 5<BR />ssh key-exchange group dh-group1-sha1<BR />console timeout 0</P><P>dhcpd address 192.168.1.100-192.168.1.199 inside<BR />dhcpd dns 192.128.1.200 8.8.8.8 interface inside<BR />dhcpd lease 96000 interface inside<BR />dhcpd enable inside<BR />!<BR />threat-detection basic-threat<BR />threat-detection statistics access-list<BR />no threat-detection statistics tcp-intercept<BR />ssl trust-point ASDM_TrustPoint0 outside<BR />ssl trust-point ASDM_TrustPoint0 inside_1<BR />ssl trust-point ASDM_TrustPoint0 inside_2<BR />ssl trust-point ASDM_TrustPoint0 inside_3<BR />ssl trust-point ASDM_TrustPoint0 inside_4<BR />ssl trust-point ASDM_TrustPoint0 inside_5<BR />ssl trust-point ASDM_TrustPoint0 inside_6<BR />ssl trust-point ASDM_TrustPoint0 inside_7<BR />ssl trust-point ASDM_TrustPoint0 inside<BR />webvpn<BR />enable outside<BR />anyconnect image disk0:/anyconnect-macos-4.8.02045-webdeploy-k9.pkg 1<BR />anyconnect image disk0:/anyconnect-win-4.8.02045-webdeploy-k9.pkg 2<BR />anyconnect profiles AnyConnect2_client_profile disk0:/AnyConnect2_client_profile.xml<BR />anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml<BR />anyconnect profiles Anyconnect2_client_profile disk0:/Anyconnect2_client_profile.xml<BR />anyconnect enable<BR />tunnel-group-list enable<BR />cache<BR />disable<BR />error-recovery disable<BR />group-policy GroupPolicy_AnyConnect internal<BR />group-policy GroupPolicy_AnyConnect attributes<BR />wins-server none<BR />dns-server value 192.168.1.10<BR />vpn-tunnel-protocol ikev2 ssl-client<BR />split-tunnel-policy tunnelspecified<BR />split-tunnel-network-list value SplitTunnel<BR />default-domain value iuoe.local<BR />webvpn<BR />anyconnect profiles value AnyConnect_client_profile type user<BR />group-policy GroupPolicy_AnyConnect2 internal<BR />group-policy GroupPolicy_AnyConnect2 attributes<BR />wins-server none<BR />dns-server value 192.168.1.10<BR />vpn-tunnel-protocol ikev2 ssl-client<BR />default-domain value iuoe.local<BR />webvpn<BR />anyconnect profiles value AnyConnect2_client_profile type user<BR />group-policy GroupPolicy_74.120.200.141 internal<BR />group-policy GroupPolicy_74.120.200.141 attributes<BR />vpn-tunnel-protocol ikev1 ikev2<BR />dynamic-access-policy-record DfltAccessPolicy<BR />username brett password $sha512$5000$XoW4Fl+JnzF+N8U1SwEDCA==$hfRBTVaUBqAkOXHNosQIIw== pbkdf2<BR />username scott password $sha512$5000$j4omPvxMRd2Z4sKfzyf0UQ==$GBzjlct/tzBybF5MRrikzQ== pbkdf2<BR />username aric password $sha512$5000$/A2HDWSG/E698i23RFkn6w==$C7Oz9Z6sKGly33V2TFuB4Q== pbkdf2 privilege 15<BR />username joe password $sha512$5000$fTjCWPkuzQc7fZp8clSp/Q==$VuDOJvDGN5NnycWAsewjYQ== pbkdf2<BR />username darren password $sha512$5000$PxaGxa6qmkZy4jg0LbwQ9A==$qT1h2pKpgLyJTQhXvtkzNg== pbkdf2<BR />username learning1 password $sha512$5000$Uyl59gFusi+JaZjx+ywEbg==$YUIk+r1ZhAS5NBU4nVl+cQ== pbkdf2<BR />username learning2 password $sha512$5000$VrxZaUN+8I4RNWsnJ94PDA==$I82bCZ/iYk6S27uXGo2gdg== pbkdf2<BR />username learning4 password $sha512$5000$8ZJzSSLMdWzId0Q6GnPuCg==$dvAub8qMVy/yy190kUEihA== pbkdf2<BR />username tony password $sha512$5000$PiZsYtEGKf4/r0HRv6vemQ==$9jNq0O0+eZDLR0JaCwca0A== pbkdf2<BR />username Tony password $sha512$5000$fmbby6f8gCVudokt4nQckQ==$k3ZdmOabfKwJYetZQiU30w== pbkdf2<BR />username sora-user password $sha512$5000$ZRxPfRB+fcSAypV+IKAH3g==$p4tV2nL8rZ45iL4W/RNaPg== pbkdf2 privilege 15<BR />tunnel-group AnyConnect type remote-access<BR />tunnel-group AnyConnect general-attributes<BR />address-pool anyconnect<BR />default-group-policy GroupPolicy_AnyConnect<BR />nat-assigned-to-public-ip outside<BR />tunnel-group AnyConnect webvpn-attributes<BR />group-alias AnyConnect enable<BR />tunnel-group AnyConnect2 type remote-access<BR />tunnel-group AnyConnect2 general-attributes<BR />address-pool anyconnect<BR />default-group-policy GroupPolicy_AnyConnect2<BR />tunnel-group AnyConnect2 webvpn-attributes<BR />group-alias AnyConnect2 enable<BR />tunnel-group 74.120.200.141 type ipsec-l2l<BR />tunnel-group 74.120.200.141 general-attributes<BR />default-group-policy GroupPolicy_74.120.200.141<BR />tunnel-group 74.120.200.141 ipsec-attributes<BR />ikev1 pre-shared-key *****<BR />ikev2 remote-authentication pre-shared-key *****<BR />ikev2 local-authentication pre-shared-key *****<BR />!<BR />class-map inspection_default<BR />match default-inspection-traffic<BR />!<BR />!<BR />policy-map type inspect dns preset_dns_map<BR />parameters<BR />message-length maximum client auto<BR />message-length maximum 512<BR />no tcp-inspection<BR />policy-map global_policy<BR />class inspection_default<BR />inspect dns preset_dns_map<BR />inspect ftp<BR />inspect h323 h225<BR />inspect h323 ras<BR />inspect rsh<BR />inspect rtsp<BR />inspect esmtp<BR />inspect sqlnet<BR />inspect skinny<BR />inspect sunrpc<BR />inspect xdmcp<BR />inspect sip<BR />inspect netbios<BR />inspect tftp<BR />inspect ip-options<BR />inspect icmp<BR />!<BR />service-policy global_policy global<BR />prompt hostname context<BR />no call-home reporting anonymous<BR />Cryptochecksum:f367c499d76f219f55aa8dc907ed9841<BR />: end</P> Thu, 19 Mar 2020 19:48:13 GMT https://community.cisco.com/t5/network-security/static-pat-for-cisco-asa-5506-to-microsoft-sql-server/m-p/4048893#M1067958 arits2004 2020-03-19T19:48:13Z https://community.cisco.com/t5/network-security/static-pat-for-cisco-asa-5506-to-microsoft-sql-server/m-p/4048916#M1067965 <P>Hi,</P><P>&nbsp;</P><P>&nbsp; &nbsp;First of all, if this is a live (not lab) environment connected to the Internet, i don't see how you would expect the public IP of&nbsp;</P><P><SPAN>67.205.185.195 to reach&nbsp;your private IP of&nbsp;</SPAN><SPAN>192.168.1.10, via the Internet, without a VPN tunnel build, which i don't see in the config.</SPAN></P><P><SPAN>&nbsp; &nbsp;If&nbsp;this is lab environment, your NAT statement points to an&nbsp;</SPAN>object which does not exist, fix the issue by using the same object name in both the object definition and NAT statement; also the wrong ingress interface is specified, you should be using&nbsp;<STRONG>inside</STRONG>, not&nbsp;<STRONG>inside6</STRONG></P><P>&nbsp;</P><P>&nbsp;</P><P><STRONG>Wrong:</STRONG></P><P><SPAN>object network <STRONG>DC01_Outside</STRONG></SPAN></P><P><SPAN>host 192.168.1.10</SPAN></P><P><SPAN>nat (outside,inside_6) source static Cybernautic Cybernautic destination static <STRONG>DC01</STRONG> <STRONG>DC01</STRONG> service sql-1433 sql-1433</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P><STRONG>Correct:</STRONG></P><P>no nat (outside,inside_6) source static Cybernautic Cybernautic destination static DC01 DC01 service sql-1433 sql-1433</P><P>no&nbsp;object network DC01_Outside</P><P><SPAN><STRONG>!</STRONG></SPAN></P><P><SPAN>object network <STRONG>DC01</STRONG></SPAN></P><P><SPAN>host 192.168.1.10</SPAN></P><P><SPAN>nat (outside,<STRONG>inside</STRONG>) source static Cybernautic Cybernautic destination static <STRONG>DC01</STRONG> <STRONG>DC01</STRONG> service sql-1433 sql-1433</SPAN></P><P>&nbsp;</P><P>Regards,</P><P>Cristian Matei</P> Thu, 19 Mar 2020 20:31:38 GMT https://community.cisco.com/t5/network-security/static-pat-for-cisco-asa-5506-to-microsoft-sql-server/m-p/4048916#M1067965 Cristian Matei 2020-03-19T20:31:38Z https://community.cisco.com/t5/network-security/static-pat-for-cisco-asa-5506-to-microsoft-sql-server/m-p/4048932#M1067967 <P>Hello Christian,</P><P>&nbsp;</P><P>Thank you for taking the time to reply.</P><P>&nbsp;</P><P>I want to configure the rule so that any traffic that comes in from my outside interface on port 1433 goes to 192.168.1.10&nbsp;</P><P>&nbsp;</P><P>So it would look like this:</P><P>&nbsp;</P><P><SPAN>67.205.185.195 &gt; 96.70.36.89 &gt; ASA &gt;&nbsp; 192.168.1.10</SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Thu, 19 Mar 2020 20:51:59 GMT https://community.cisco.com/t5/network-security/static-pat-for-cisco-asa-5506-to-microsoft-sql-server/m-p/4048932#M1067967 arits2004 2020-03-19T20:51:59Z https://community.cisco.com/t5/network-security/static-pat-for-cisco-asa-5506-to-microsoft-sql-server/m-p/4048972#M1067975 <P>Hi,</P><P>&nbsp;</P><P>Use this config instead:</P><P>&nbsp;</P><P>no nat (outside,inside_6) source static Cybernautic Cybernautic destination static DC01 DC01 service sql-1433 sql-1433</P><P>no&nbsp;object network DC01_Outside</P><P><SPAN><STRONG>!</STRONG></SPAN></P><P><SPAN>object network outsideIP</SPAN></P><P><SPAN>host 96.70.36.89</SPAN></P><P><SPAN>!</SPAN></P><P><SPAN>object network MicrosoftSql<BR />host 192.168.1.10</SPAN></P><P><SPAN>nat (inside, outside) static interface service tcp 1433 1433</SPAN></P><P>&nbsp;</P><P><SPAN>To test it, run packet-tracer&nbsp;input inside tcp&nbsp;67.205.185.195 10000&nbsp;96.70.36.89 1433 detailed</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P>Regards,</P><P>Cristian Matei</P> Thu, 19 Mar 2020 22:16:11 GMT https://community.cisco.com/t5/network-security/static-pat-for-cisco-asa-5506-to-microsoft-sql-server/m-p/4048972#M1067975 Cristian Matei 2020-03-19T22:16:11Z