topic Hi, Yeah in default scenario in Network Security

How to configure web server behind 1-to-1 NAT

chicagotech — Tue, 12 Mar 2019 04:37:15 GMT

In our Cisco ASA, we created 1-to-1 NAT (public ip x.x.x.174 and private ip 172.16.80.9). The Windows 2008 R2 web server using private IP 172.16.80.9 and default gateway 172.16.80.1 can access the Internet. But outside from the Internet can’t access the web server even the ports are open and we can access it internally. If I google my ip on the web server, it shows x.x.x.194 which is the outside interface of the Cisco ASA. That tells me the web server is connecting the Internet using private network default gateway 172.16.80.1 and public IP x.x.x.193 to outgoing and incoming. That is why outside people can’t access the web server. What’s the correct way to setup the web server TCP/IP to use the NAT?

Hi,

nkarthikeyan — Tue, 12 Aug 2014 06:49:42 GMT

Hi,

If you have the proper rules set for the inbound from outiside world and if you have the proper static NAT configured for your web server ip in fw, then it should be okay for you....

See the below mentioned sample

Providing Access to an Inside Web Server (Static NAT)

The following example performs static NAT for an inside web server. The real address is on a private network, so a public address is required. Static NAT is necessary so hosts can initiate traffic to the web server at a fixed address. (See Figure 30-1).

Figure 30-1 Static NAT for an Inside Web Server

Step 1 Create a network object for the internal web server:

hostname(config)# object network myWebServ

Step 2 Define the web server address:

hostname(config-network-object)# host 10.1.2.27

Step 3 Configure static NAT for the object:

hostname(config-network-object)# nat (inside,outside) static 209.165.201.10

when you are going out, you are prefffered to go out via genric PAT, thats why you are seeing your ip as interface (PAT ip)....

do you have any after-auto statements in your config?

Regards

Karthik

Thank you for the tip. The

chicagotech — Tue, 12 Aug 2014 17:34:48 GMT

Thank you for the tip. The problem is I mis-configured the outside interface. Does the web server always uses the PAT to access the Internet?

Hi, Yeah in default scenario

nkarthikeyan — Tue, 12 Aug 2014 17:52:41 GMT

Hi,

Yeah in default scenario it does like that because of the prioritization of the rule. if you want you need to prioritize that to use the NAT while going out as well.....

But that is not to be worried until and unless you have a specific requirement.

Regards

Karthik