https://community.cisco.com/t5/network-security/asa-5505-using-nat-allowing-incoming-traffic-on-https/m-p/2218294#M350613 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>It should work but make sure you did this first</P><P></P><P>Create the "object" that holds the real IP address of the server and the NAT configuration</P><P></P><P><STRONG>object network HTTPS-WEBSERVER</STRONG></P><P></P><P>While under the "object" configuration mode add the real IP address and the NAT configuration line</P><P></P><P><STRONG>host 192.168.1.14</STRONG></P><P><STRONG>nat (inside,outside) static interface service tcp 443 443</STRONG></P><P></P><P>And then make sure to configure the ACL/Access-list that allows the traffic to the Web server</P><P></P><P><STRONG>access-list OUTSIDE-IN remark Allow HTTPS traffic to the Web Server</STRONG></P><P><STRONG>access-list OUTSIDE-IN permit tcp any object HTTPS-WEBSERVER eq 443</STRONG></P><P></P><P><STRONG>access-group OUTSIDE-IN in interface outside</STRONG></P><P></P><P>- Jouni</P></BODY></HTML> Fri, 03 May 2013 16:18:53 GMT Jouni Forss 2013-05-03T16:18:53Z https://community.cisco.com/t5/network-security/asa-5505-using-nat-allowing-incoming-traffic-on-https/m-p/2218289#M350608 <P>Hi All,</P><P></P><P>I have a 5505 and the following network layout:</P><P></P><P>Home router =&gt; ASA 5505 =&gt; HTTPS webserver</P><P></P><P>The home router is on 192.168.0.1</P><P>ASA 5505 external 192.168.0.19</P><P>ASA Internal 192.168.1.1</P><P>HTTPS webserver 192.168.1.14</P><P></P><P>I need the ASA to allow only HTTPS traffic inbound through it.</P><P>Thanks for any help you can offer.</P> Tue, 12 Mar 2019 01:38:10 GMT https://community.cisco.com/t5/network-security/asa-5505-using-nat-allowing-incoming-traffic-on-https/m-p/2218289#M350608 mattatkin 2019-03-12T01:38:10Z https://community.cisco.com/t5/network-security/asa-5505-using-nat-allowing-incoming-traffic-on-https/m-p/2218290#M350609 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Couple of things you want to check/configure first</P><P></P><UL><LI>Configure the ASAs "outside" interface with a static IP address instead of DHCP so the IP address doesnt change and therefore prevent the NAT from working</LI><LI>Remember that you will have to forward the port TCP/443 also on the Home Router since it has the public IP address to which people should connect to</LI></UL><P></P><P></P><P>The Port Forward / Static PAT configuration on your ASA would be</P><P></P><P><STRONG>object network HTTPS-WEBSERVER</STRONG></P><P><STRONG> host 192.168.1.14</STRONG></P><P><STRONG> nat (inside,outside) static interface service tcp 443 443</STRONG></P><P></P><P><STRONG>access-list OUTSIDE-IN remark Allow HTTPS traffic to the Web Server</STRONG></P><P><STRONG>access-list OUTSIDE-IN permit tcp any object HTTPS-WEBSERVER eq 443</STRONG></P><P></P><P><STRONG>access-group OUTSIDE-IN in interface outside</STRONG></P><P></P><P></P><P>The above configuration will forward the TCP/443 connections coming towards your ASA "outside" interface IP address to the "inside" IP address of the Web server.</P><P></P><P>As I said you will have to both configure the ASA "outside" IP address staticly so it doesnt change (which would make the NAT useless naturally) and you will also have to do a Port Forward / Static PAT configuration on the Home Router. You will basically need to forward the port TCP/443 coming to your Home Router public IP address to the ASA "outside" interface IP address on port TCP/443</P><P></P><P>Hope this helps <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>Please remember to mark the question as answered if it did. Or ask more if needed <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>- Jouni</P></BODY></HTML> Fri, 03 May 2013 15:52:56 GMT https://community.cisco.com/t5/network-security/asa-5505-using-nat-allowing-incoming-traffic-on-https/m-p/2218290#M350609 Jouni Forss 2013-05-03T15:52:56Z https://community.cisco.com/t5/network-security/asa-5505-using-nat-allowing-incoming-traffic-on-https/m-p/2218291#M350610 <HTML><HEAD></HEAD><BODY><P>Thanks JouniForss, when I try to configure the external interface with an IP address or security level (ethernet 0/0) I get the error This command can only be configured on VLAN interfaces.</P><P></P><P>-M</P></BODY></HTML> Fri, 03 May 2013 16:06:49 GMT https://community.cisco.com/t5/network-security/asa-5505-using-nat-allowing-incoming-traffic-on-https/m-p/2218291#M350610 mattatkin 2013-05-03T16:06:49Z https://community.cisco.com/t5/network-security/asa-5505-using-nat-allowing-incoming-traffic-on-https/m-p/2218292#M350611 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Yes, the only interface where you configure IP address information on your ASA5505 is the Vlan interface.</P><P></P><P>At the moment your ASA "outside" interface is the interface Vlan2</P><P></P><P>You would have to configure the IP address in this way</P><P></P><P><STRONG>interface Vlan2</STRONG></P><P><STRONG> ip address 192.168.0.x 255.255.255.0</STRONG></P><P></P><P>Notice that this will naturally can cause a small outage in connections through the ASA.</P><P></P><P>Also make sure that the network mask I entered above is correct and choose the IP address you want instead of the "x" at the end of the IP address. This IP address should be in turn used on the Home Router as the IP address towards which you need to do the Port Forward on the Home Router.</P><P></P><P>- Jouni</P></BODY></HTML> Fri, 03 May 2013 16:11:39 GMT https://community.cisco.com/t5/network-security/asa-5505-using-nat-allowing-incoming-traffic-on-https/m-p/2218292#M350611 Jouni Forss 2013-05-03T16:11:39Z https://community.cisco.com/t5/network-security/asa-5505-using-nat-allowing-incoming-traffic-on-https/m-p/2218293#M350612 <HTML><HEAD></HEAD><BODY><P>OK, I put the 192.168.0.19 on the Vlan 2, (which I think logically works).</P><P></P><P>Then when I tried to do the NAT mapping I got this error</P><P></P><P>ciscoasa(config)# nat (inside,outside) static interface service tcp 443 443</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ^</P><P>ERROR: % Invalid input detected at '^' marker.</P></BODY></HTML> Fri, 03 May 2013 16:15:03 GMT https://community.cisco.com/t5/network-security/asa-5505-using-nat-allowing-incoming-traffic-on-https/m-p/2218293#M350612 mattatkin 2013-05-03T16:15:03Z https://community.cisco.com/t5/network-security/asa-5505-using-nat-allowing-incoming-traffic-on-https/m-p/2218294#M350613 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>It should work but make sure you did this first</P><P></P><P>Create the "object" that holds the real IP address of the server and the NAT configuration</P><P></P><P><STRONG>object network HTTPS-WEBSERVER</STRONG></P><P></P><P>While under the "object" configuration mode add the real IP address and the NAT configuration line</P><P></P><P><STRONG>host 192.168.1.14</STRONG></P><P><STRONG>nat (inside,outside) static interface service tcp 443 443</STRONG></P><P></P><P>And then make sure to configure the ACL/Access-list that allows the traffic to the Web server</P><P></P><P><STRONG>access-list OUTSIDE-IN remark Allow HTTPS traffic to the Web Server</STRONG></P><P><STRONG>access-list OUTSIDE-IN permit tcp any object HTTPS-WEBSERVER eq 443</STRONG></P><P></P><P><STRONG>access-group OUTSIDE-IN in interface outside</STRONG></P><P></P><P>- Jouni</P></BODY></HTML> Fri, 03 May 2013 16:18:53 GMT https://community.cisco.com/t5/network-security/asa-5505-using-nat-allowing-incoming-traffic-on-https/m-p/2218294#M350613 Jouni Forss 2013-05-03T16:18:53Z https://community.cisco.com/t5/network-security/asa-5505-using-nat-allowing-incoming-traffic-on-https/m-p/2218295#M350614 <HTML><HEAD></HEAD><BODY><P>Thanks working just great!</P></BODY></HTML> Fri, 03 May 2013 16:59:26 GMT https://community.cisco.com/t5/network-security/asa-5505-using-nat-allowing-incoming-traffic-on-https/m-p/2218295#M350614 mattatkin 2013-05-03T16:59:26Z https://community.cisco.com/t5/network-security/asa-5505-using-nat-allowing-incoming-traffic-on-https/m-p/2218296#M350615 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Glad its working now <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>- Jouni</P></BODY></HTML> Fri, 03 May 2013 17:00:47 GMT https://community.cisco.com/t5/network-security/asa-5505-using-nat-allowing-incoming-traffic-on-https/m-p/2218296#M350615 Jouni Forss 2013-05-03T17:00:47Z