topic Re: Port Forwarding in Network Security

Port Forwarding

johnson955 — Mon, 11 Mar 2019 18:39:43 GMT

I have read the documentation and tried many things.

All i want currently is to forward port 80 to an internal webserver.

I use logmein to access my home pc to the test the connection.

The log file just says

TCP access denied by ACL from xx.xx.xx.143 to outside xx.xx.xx.195/80

I can access the internet from the internal computer just fine.

I also have it working with the webvpn.

I am not a Cisco person so i prefer working through the ASDM

: Saved
:
ASA Version 8.3(1) 
!
hostname ciscoasa
domain-name bongards.com
enable password  encrypted
passwd  encrypted
names
!
interface Vlan1
 nameif inside
 security-level 99
 ip address 192.168.1.38 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 12.28.106.195 255.255.255.224 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 switchport access vlan 12
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 192.168.1.27
 name-server 192.168.1.37
 domain-name bongards.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-192.168.1.0 
 subnet 192.168.1.0 255.255.255.0
object network obj-152.152.152.0 
 subnet 152.152.152.0 255.255.255.0
object network NETWORK_OBJ_152.152.152.0_24 
 subnet 152.152.152.0 255.255.255.0
object network A_12.28.106.194 
 host 12.28.106.194
object network A_12.28.106.196 
 host 12.28.106.196
object network A_ 
object network PatronPage 
 host 192.168.1.25
 description Web Server 
object network obj_any 
 subnet 0.0.0.0 0.0.0.0
object network PP 
 host 12.28.106.195
 description PP 
access-list vpngrp1_splitTunnelAcl standard permit any 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 152.152.152.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any 152.152.152.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip interface inside any 
access-list inside_nat0_outbound extended permit ip 152.152.152.0 255.255.255.0 any 
access-list inside_access_in extended permit ip 152.152.152.0 255.255.255.0 any 
access-list inside_access_in extended permit ip any 152.152.152.0 255.255.255.0 
access-list inside_access_in extended permit ip any 30.30.30.0 255.255.255.0 
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit tcp any object PP eq www 
access-list outside_access_in extended permit ip 152.152.152.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list outside_access_in extended permit ip any 152.152.152.0 255.255.255.0 
access-list outside_access_in extended permit tcp interface inside any eq www inactive 
access-list outside_access_in extended permit tcp any object PatronPage eq www 
access-list outside_access_in extended permit tcp any interface outside eq www 
access-list outside_access_in extended permit tcp any object PP eq www 
access-list outside_access_in extended permit ip any object PP 
access-list outside_nat0_outbound extended permit ip 152.152.152.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list vpngrp2_splitTunnelAcl standard permit any 
access-list global_access extended permit tcp any interface outside eq www 
access-list global_access extended permit icmp interface inside interface inside 
access-list global_access extended permit tcp object PatronPage any eq www 
access-list test extended permit ip any interface outside 
access-list test2 standard permit any 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool Vpn 152.152.152.1-152.152.152.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-152.152.152.0 obj-152.152.152.0
nat (inside,any) source static any any destination static obj-152.152.152.0 obj-152.152.152.0
nat (inside,outside) source static any any destination static NETWORK_OBJ_152.152.152.0_24 NETWORK_OBJ_152.152.152.0_24
nat (any,inside) source static NETWORK_OBJ_152.152.152.0_24 NETWORK_OBJ_152.152.152.0_24 dns
nat (inside,inside) source static any any
!
object network PP
 nat (outside,inside) dynamic PatronPage
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 12.28.106.193 1
route inside 10.10.10.0 255.255.255.0 192.168.1.1 4
route inside 20.20.20.0 255.255.255.0 192.168.1.1 3
route inside 30.30.30.0 255.255.255.0 30.30.30.1 2
route outside 0.0.0.0 0.0.0.0 192.168.1.38 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
vpn-addr-assign local reuse-delay 180
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.39-192.168.1.254 inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 csd image disk0:/csd_3.4.2048.pkg
 csd enable
 port-forward RDP 3369 appserver2.bongards.com 3369 RDP
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value inside_nat0_outbound
 intercept-dhcp 255.255.255.0 enable
 ip-phone-bypass enable
 leap-bypass enable
 nem enable
 webvpn
  svc firewall-rule client-interface public value inside_nat0_outbound
  svc firewall-rule client-interface private value inside_nat0_outbound
group-policy vpngrp2 internal
group-policy vpngrp2 attributes
 dns-server value 192.168.1.27 192.168.1.37
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpngrp2_splitTunnelAcl
 default-domain value bongards.com
 webvpn
  customization value DfltCustomization
group-policy remotevpn internal
group-policy remotevpn attributes
 wins-server value 192.168.1.25 192.168.1.37
 dns-server value 192.168.1.27 192.168.1.37
 vpn-tunnel-protocol IPSec svc 
 default-domain value bongards.com
group-policy remote internal
group-policy remote attributes
 wins-server value 192.168.1.37
 dns-server value 192.168.1.37 192.168.1.27
 vpn-tunnel-protocol IPSec 
 default-domain value bongards.com
group-policy CiscoVPN internal
group-policy CiscoVPN attributes
 wins-server value 192.168.1.25 192.168.1.37
 dns-server value 192.168.1.27 192.168.1.37
 vpn-tunnel-protocol IPSec 
 default-domain value bongards.com
username georgej password 7qWTAlO19tqEYnAV encrypted
username georgej attributes
 vpn-group-policy DfltGrpPolicy
 webvpn
  url-list value Admin
  customization value DfltCustomization
  sso-server none
username remotevpn password 5C9zA4WCqZXiXFOz encrypted
username Shoplogix password ux7PTSQq6U0mPa19 encrypted
username Shoplogix attributes
 service-type remote-access
 webvpn
  url-entry disable
  url-list value Shoplogix
  customization value DfltCustomization
username justinr password uXkNnGqn9C7DQcsV encrypted privilege 0
username justinr attributes
 vpn-group-policy DfltGrpPolicy
 webvpn
  file-browsing enable
  file-entry enable
  hidden-shares none
  url-list value Admin
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *****
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *****
tunnel-group vpngrp2 type remote-access
tunnel-group vpngrp2 general-attributes
 address-pool Vpn
 default-group-policy vpngrp2
tunnel-group vpngrp2 ipsec-attributes
 pre-shared-key *****
tunnel-group CiscoVPN type remote-access
tunnel-group CiscoVPN general-attributes
 address-pool Vpn
tunnel-group CiscoVPN ipsec-attributes
 pre-shared-key *****
tunnel-group remotevpn type remote-access
tunnel-group remotevpn general-attributes
 address-pool Vpn
 default-group-policy remotevpn
tunnel-group remotevpn ipsec-attributes
 pre-shared-key *****
 radius-sdi-xauth
tunnel-group remote type remote-access
tunnel-group remote general-attributes
 address-pool Vpn
 default-group-policy remote
tunnel-group remote ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e7d1deeafe86c0caffbef7fda584321d
: end
asdm image disk0:/asdm-524.bin
no asdm history enable

Re: Port Forwarding

Allen P Chen — Mon, 13 Sep 2010 21:50:19 GMT

Hello,

What is the IP address of your internal web server? Is it 192.168.1.25? From the outside, what IP address are you accessing in attempt to reach your internal web server?

Please advise.

Re: Port Forwarding

Kureli Sankar — Tue, 14 Sep 2010 04:01:53 GMT

I believe you need the following added to the config - assuming 192.168.1.25 is the webserver.

object network PatronPage
nat(inside,outside) static interface service tcp 80 80

access-list outside_access_in extended permit tcp any host 192.168.1.25 eq www

-KS

Re: Port Forwarding

johnson955 — Tue, 14 Sep 2010 13:36:04 GMT

When i tried to add

object network PatronPage
nat(inside,outside) static interface service tcp 80 80

i got an error message

the command

access-list outside_access_in extended permit tcp any host 192.168.1.25 eq www

did go through and the packet tracer now says it is successful.

But when i remote my home pc and try to access the webpage via

http://12.28.106.195/DSIWeb

i get the log veiwer saying TCP access denied by ACL from xx.xx.xxx.143/59282 to outside:12.28.106.195/80

Also just FYI when i am testing the webpage i am changing the gateway of the webserver from 192.168.1.1 to 192.168.1.38 which is the internal ip of the cisco box.

When it is set to 192.168.1.1 the webpage can be access from http://bongardscheese.com/DSIWeb, which is our old firewall we want to replace.

Re: Port Forwarding

Kureli Sankar — Tue, 14 Sep 2010 13:51:38 GMT

What error did you get? Could you pls. copy and past that error?

Also, what is the reason for this line in the config?

nat (inside,inside) source static any any

can you remove this line and try?

-KS

Re: Port Forwarding

johnson955 — Tue, 14 Sep 2010 14:52:00 GMT

Result of the command: "object network PatronPage"

The command has been sent to the device

Result of the command: "nat(inside,outside) static interface service tcp 80 80"

nat(inside,outside) static interface service tcp 80 80
^
ERROR: % Invalid input detected at '^' marker.

I removed the inside, inside rule.

3 Sep 14 2010 09:44:58 710003 xx.xx.xxx.143 61000 12.28.106.195 80 TCP access denied by ACL from xx.xx.xxx.143/61000 to outside:12.28.106.195/80

My config is now

: Saved
:
ASA Version 8.3(1) 
!
hostname ciscoasa
domain-name bongards.com
enable password 1rEyPzDTxdq.gL.M encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 99
 ip address 192.168.1.38 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 12.28.106.195 255.255.255.224 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 switchport access vlan 12
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 192.168.1.27
 name-server 192.168.1.37
 domain-name bongards.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-192.168.1.0 
 subnet 192.168.1.0 255.255.255.0
object network obj-152.152.152.0 
 subnet 152.152.152.0 255.255.255.0
object network NETWORK_OBJ_152.152.152.0_24 
 subnet 152.152.152.0 255.255.255.0
object network A_12.28.106.194 
 host 12.28.106.194
object network A_12.28.106.196 
 host 12.28.106.196
object network A_ 
object network PatronPage 
 host 192.168.1.25
 description Web Server 
object network obj_any 
 subnet 0.0.0.0 0.0.0.0
object network PP 
 host 12.28.106.195
 description PP 
access-list vpngrp1_splitTunnelAcl standard permit any 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 152.152.152.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any 152.152.152.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip interface inside any 
access-list inside_nat0_outbound extended permit ip 152.152.152.0 255.255.255.0 any 
access-list inside_access_in extended permit ip 152.152.152.0 255.255.255.0 any 
access-list inside_access_in extended permit ip any 152.152.152.0 255.255.255.0 
access-list inside_access_in extended permit ip any 30.30.30.0 255.255.255.0 
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit tcp any object PP eq www 
access-list outside_access_in extended permit ip 152.152.152.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list outside_access_in extended permit ip any 152.152.152.0 255.255.255.0 
access-list outside_access_in extended permit tcp interface inside any eq www inactive 
access-list outside_access_in extended permit tcp any object PatronPage eq www 
access-list outside_access_in extended permit tcp any interface outside eq www 
access-list outside_access_in extended permit tcp any object PP eq www 
access-list outside_access_in extended permit ip any object PP 
access-list outside_access_in extended permit tcp any host 192.168.1.25 eq www 
access-list outside_nat0_outbound extended permit ip 152.152.152.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list vpngrp2_splitTunnelAcl standard permit any 
access-list global_access extended permit tcp any interface outside eq www 
access-list global_access extended permit icmp interface inside interface inside 
access-list global_access extended permit tcp object PatronPage any eq www 
access-list test extended permit ip any interface outside 
access-list test2 standard permit any 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool Vpn 152.152.152.1-152.152.152.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-152.152.152.0 obj-152.152.152.0
nat (inside,any) source static any any destination static obj-152.152.152.0 obj-152.152.152.0
nat (inside,outside) source static any any destination static NETWORK_OBJ_152.152.152.0_24 NETWORK_OBJ_152.152.152.0_24
nat (any,inside) source static NETWORK_OBJ_152.152.152.0_24 NETWORK_OBJ_152.152.152.0_24 dns
!
object network PP
 nat (outside,inside) dynamic PatronPage
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 12.28.106.193 1
route inside 10.10.10.0 255.255.255.0 192.168.1.1 4
route inside 20.20.20.0 255.255.255.0 192.168.1.1 3
route inside 30.30.30.0 255.255.255.0 30.30.30.1 2
route outside 0.0.0.0 0.0.0.0 192.168.1.38 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
vpn-addr-assign local reuse-delay 180
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.39-192.168.1.254 inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 csd image disk0:/csd_3.4.2048.pkg
 csd enable
 port-forward RDP 3369 appserver2.bongards.com 3369 RDP
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value inside_nat0_outbound
 intercept-dhcp 255.255.255.0 enable
 ip-phone-bypass enable
 leap-bypass enable
 nem enable
 webvpn
  svc firewall-rule client-interface public value inside_nat0_outbound
  svc firewall-rule client-interface private value inside_nat0_outbound
group-policy vpngrp2 internal
group-policy vpngrp2 attributes
 dns-server value 192.168.1.27 192.168.1.37
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpngrp2_splitTunnelAcl
 default-domain value bongards.com
 webvpn
  customization value DfltCustomization
group-policy remotevpn internal
group-policy remotevpn attributes
 wins-server value 192.168.1.25 192.168.1.37
 dns-server value 192.168.1.27 192.168.1.37
 vpn-tunnel-protocol IPSec svc 
 default-domain value bongards.com
group-policy remote internal
group-policy remote attributes
 wins-server value 192.168.1.37
 dns-server value 192.168.1.37 192.168.1.27
 vpn-tunnel-protocol IPSec 
 default-domain value bongards.com
group-policy CiscoVPN internal
group-policy CiscoVPN attributes
 wins-server value 192.168.1.25 192.168.1.37
 dns-server value 192.168.1.27 192.168.1.37
 vpn-tunnel-protocol IPSec 
 default-domain value bongards.com
username georgej password 7qWTAlO19tqEYnAV encrypted
username georgej attributes
 vpn-group-policy DfltGrpPolicy
 webvpn
  url-list value Admin
  customization value DfltCustomization
  sso-server none
username remotevpn password 5C9zA4WCqZXiXFOz encrypted
username Shoplogix password ux7PTSQq6U0mPa19 encrypted
username Shoplogix attributes
 service-type remote-access
 webvpn
  url-entry disable
  url-list value Shoplogix
  customization value DfltCustomization
username justinr password uXkNnGqn9C7DQcsV encrypted privilege 0
username justinr attributes
 vpn-group-policy DfltGrpPolicy
 webvpn
  file-browsing enable
  file-entry enable
  hidden-shares none
  url-list value Admin
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *****
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *****
tunnel-group vpngrp2 type remote-access
tunnel-group vpngrp2 general-attributes
 address-pool Vpn
 default-group-policy vpngrp2
tunnel-group vpngrp2 ipsec-attributes
 pre-shared-key *****
tunnel-group CiscoVPN type remote-access
tunnel-group CiscoVPN general-attributes
 address-pool Vpn
tunnel-group CiscoVPN ipsec-attributes
 pre-shared-key *****
tunnel-group remotevpn type remote-access
tunnel-group remotevpn general-attributes
 address-pool Vpn
 default-group-policy remotevpn
tunnel-group remotevpn ipsec-attributes
 pre-shared-key *****
 radius-sdi-xauth
tunnel-group remote type remote-access
tunnel-group remote general-attributes
 address-pool Vpn
 default-group-policy remote
tunnel-group remote ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:7d0ac7a4d66fe2f247fa83f70aeeecd3
: end
asdm image disk0:/asdm-524.bin
no asdm history enable

Re: Port Forwarding

Allen P Chen — Tue, 14 Sep 2010 17:06:54 GMT

There needs to be a space between the nat and the "(". For example:

nat (inside,outside) static interface service tcp 80 80

Please give that a try.

Re: Port Forwarding

johnson955 — Tue, 14 Sep 2010 19:21:24 GMT

I will give it a try tomorrow the web server is starting to not play nice with anything.

I would like to make sure that if the cisco config is right it will actually work, hate to find out my config was right but never worked because it was the server.

Re: Port Forwarding

johnson955 — Thu, 23 Sep 2010 17:57:43 GMT

Finally been able to get back to working on this.

The error i get when trying to add that line to the asa is this

Result of the command: "nat (inside,outside) static interface service tcp 80 80"

nat (inside,outside) static interface service tcp 80 80
^
ERROR: % Invalid input detected at '^' marker.

Re: Port Forwarding

Allen P Chen — Thu, 23 Sep 2010 18:00:24 GMT

You need to define the static nat within the object:

object network PatronPage
nat (inside,outside) static interface service tcp 80 80

Please give that a try, thanks.

Re: Port Forwarding

johnson955 — Thu, 23 Sep 2010 18:16:41 GMT

Wow i got it working, i followed the directions at

http://www.gregledet.net/?p=537

What i had missed was the Advanced Nat Settings, i think thats what the command we where trying to do CLI would have done.