help static nat on ASA5510

tran trong nghia — Mon, 11 Mar 2019 23:46:38 GMT

Dear Cisco!

We have network topology Inside Netwrok (172.168.1.0/27) --- ASA5510----- Outside network (192.168.10.0/24)

ASA5510 have: Inside interface: 172.168.1.30/27; outside interface: 192.168.10.254

And we config:

# object network obj_inside

# subnet 172.168.1.0 255.255.255.224

# nat (inside,outside) dynamic interface

# object network obj_srv

# host 172.168.1.1

# nat (inside,outside) static 192.168.10.10 service tcp www www

# access-list outside_in extended permit tcp any host 172.168.1.1 eq 80

# access-group outside_in in interface outside

So, we í in from outside, we can't access web at 192.168.10.10?

Could you please help us config this situation?

Thanks!

help static nat on ASA5510

Julio Carvajal — Mon, 27 Aug 2012 04:48:11 GMT

Hello Tran,

Do the following:

object network 192.168.10.10

host 192.168.10.10

object service HTTP

service tcp source eq 80

nat (inside,outside) 1 source static obj_srv 192.168.10.10 service HTTP HTTP

Regards,

Rate all the helpful posts

Julio

help static nat on ASA5510

tran trong nghia — Mon, 27 Aug 2012 08:24:13 GMT

Dear Jcarvaja!

We try config same you said.

: Saved

: Written by cisco at 23:51:41.749 UTC Sun Aug 26 2012

ASA Version 8.4(2)

hostname ASA84

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Ethernet0/0

nameif inside

security-level 100

ip address 172.168.1.30 255.255.255.224

interface Ethernet0/1

nameif outside

security-level 0

ip address 192.168.10.254 255.255.255.0

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

ftp mode passive

object network obj_inside

subnet 172.168.1.0 255.255.255.224

object network obj_websrv

host 172.168.1.1

object network obj_websrv_map

host 192.168.10.10

object service HTTP

service tcp source eq www

object service TELNET

service tcp source eq telnet

access-list outside_access_in remark web

access-list outside_access_in extended permit object HTTP any object obj_websrv

access-list outside_access_in remark telnet

access-list outside_access_in extended permit object TELNET any object obj_websrv

access-list outside_in extended permit object TELNET any object obj_websrv_map

pager lines 24

logging asdm informational

mtu management 1500

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static obj_websrv obj_websrv_map service HTTP HTTP

nat (inside,outside) source static obj_websrv obj_websrv_map service TELNET TELNET

object network obj_inside

nat (inside,outside) dynamic interface

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username cisco password 3USUcOPFUiMCO4Jk encrypted

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

service-policy global_policy global

prompt hostname context

Cryptochecksum:95c89977b58cece71e602943c945c150

and from Pc with address 192.168.10.20, in outside zone we can't access webserver with ip map: 192.168.10.10?

Could you help us check this problem?

Thanks!

help static nat on ASA5510

Julio Carvajal — Mon, 27 Aug 2012 19:57:09 GMT

Hello Tran,

The ACL is wrong

Changed to this:

access-list outside_access_in line 1 permit tcp any host 172.168.1.1 eq 80

Regards,

Julio

Remember to rate all the helpful posts

topic help static nat on ASA5510 in Network Security

help static nat on ASA5510

help static nat on ASA5510

help static nat on ASA5510

help static nat on ASA5510