https://community.cisco.com/t5/network-security/asa-nat-issues/m-p/1220801#M841022 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>It looks like you are trying to allow inbound access to your server fixitserv1 correct. Your static NAT is correct however the access list needs to allow inbound access to the PUBLIC IP rather than to the private 192.X.X.X. You access list needs to be modified as below:</P><P></P><P>access-list ACLOUTSIDE extended permit tcp any host 203.222.69.26 eq smtp</P><P>access-list ACLOUTSIDE extended permit tcp any host 203.222.69.26 eq https</P><P>access-list ACLOUTSIDE extended permit tcp any host 203.222.69.26 eq ftp</P><P>access-list ACLOUTSIDE extended permit tcp any host 203.222.69.26 eq ftp-data</P><P>access-list ACLOUTSIDE extended permit tcp any host 203.222.69.26 eq www</P><P>access-list ACLOUTSIDE extended permit gre any any</P><P>access-list ACLOUTSIDE extended permit icmp any any echo-reply</P><P>access-list ACLOUTSIDE extended permit icmp any any echo </P><P></P><P>In regards to the ICMP part you might need to enable icmp inspection which is disabled by default on the global policy map</P><P></P><P>hostname(config)# policy-map global_policy </P><P></P><P>hostname(config-pmap)# class inspection_default</P><P></P><P>hostname(config-pmap-c)# inspect icmp </P><P>hostname(config-pmap-c)# inspect icmp error &lt;- you might not need this one</P><P>hostname(config-pmap-c)# exit</P><P></P><P>From enabled mode type clear xlate and test it again</P><P></P><P>I hope it helps .. please rate helpful posts </P><P></P><P></P><P></P><P></P></BODY></HTML> Tue, 19 May 2009 10:26:16 GMT Fernando_Meza 2009-05-19T10:26:16Z https://community.cisco.com/t5/network-security/asa-nat-issues/m-p/1220800#M841021 <P>Hi.. We are having real problems trying to get NAT to work on our ASA. I have 2 problems.</P><P></P><P>1. With the below config I cannot ping out to an internet address of though I can browse the internet?</P><P>2. I cannot reach port 25 or any other Port. They are allow though my acl's.. is there something wrong with the way I have set up NAT??</P><P></P><P></P><P></P><P>hostname ciscoasa</P><P>domain-name default.domain.invalid</P><P>enable password AHg/jZkGOJYyOC6O encrypted</P><P>names</P><P>name 192.168.1.4 fixitserv1</P><P>!</P><P>interface Vlan1</P><P> nameif inside</P><P> security-level 100</P><P> ip address 192.168.1.254 255.255.255.0</P><P>!</P><P>interface Vlan2</P><P> nameif outside</P><P> security-level 0</P><P> pppoe client vpdn group 1</P><P> ip address pppoe setroute</P><P>!</P><P>interface Ethernet0/0</P><P> switchport access vlan 2</P><P>!</P><P>interface Ethernet0/1</P><P>!</P><P>interface Ethernet0/2</P><P>!</P><P>interface Ethernet0/3</P><P>!</P><P>interface Ethernet0/4</P><P>!</P><P>interface Ethernet0/5</P><P>!</P><P>interface Ethernet0/6</P><P>!</P><P>interface Ethernet0/7</P><P>!</P><P>passwd 2KFQnbNIdI.2KYOU encrypted</P><P>ftp mode passive</P><P>dns server-group DefaultDNS</P><P> domain-name default.domain.invalid</P><P></P><P> icmp-object echo</P><P>access-list ACLOUTSIDE extended permit tcp any host fixitserv1 eq smtp</P><P>access-list ACLOUTSIDE extended permit tcp any host fixitserv1 eq https</P><P>access-list ACLOUTSIDE extended permit tcp any host fixitserv1 eq ftp</P><P>access-list ACLOUTSIDE extended permit tcp any host fixitserv1 eq ftp-data</P><P>access-list ACLOUTSIDE extended permit tcp any host fixitserv1 eq www</P><P>access-list ACLOUTSIDE extended permit gre any any</P><P>access-list ACLOUTSIDE extended permit icmp any any echo-reply</P><P>access-list ACLOUTSIDE extended permit icmp any any echo</P><P>pager lines 24</P><P>logging enable</P><P>logging asdm informational</P><P>mtu inside 1500</P><P>mtu outside 1500</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>asdm image disk0:/asdm-522.bin</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>nat-control</P><P>global (outside) 1 interface</P><P>nat (inside) 1 0.0.0.0 0.0.0.0</P><P>static (inside,outside) 203.222.69.26 fixitserv1 netmask 255.255.255.255</P><P>access-group ACLOUTSIDE in interface outside</P><P>route outside 0.0.0.0 0.0.0.0 203.222.69.26 1</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout uauth 0:05:00 absolute</P><P>http server enable</P><P>http 192.168.1.0 255.255.255.0 inside</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart</P><P>telnet timeout 5</P><P>ssh timeout 5</P><P>console timeout 0</P><P>vpdn group 1 request dialout pppoe</P><P>vpdn group 1 localname <A href="mailto:fixit-it2@connexus.net.au" target="_blank">fixit-it2@connexus.net.au</A></P><P>vpdn group 1 ppp authentication chap</P><P>vpdn username fixit-it2.connexus.net.au password ********* store-local</P><P>vpdn username <A href="mailto:fixit-it2@connexus.net.au" target="_blank">fixit-it2@connexus.net.au</A> password *********</P><P>dhcpd auto_config outside</P><P>!</P><P> </P><P>!</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P> message-length maximum 512</P><P>policy-map global_policy</P><P> class inspection_default</P><P> inspect dns preset_dns_map</P><P> inspect ftp</P><P> inspect h323 h225</P><P> inspect h323 ras</P><P> inspect rsh</P><P> inspect rtsp</P><P> inspect esmtp</P><P> inspect sqlnet</P><P> inspect skinny</P><P> inspect sunrpc</P><P> inspect xdmcp</P><P> inspect sip</P><P> inspect netbios</P><P> inspect tftp</P><P>!</P><P>service-policy global_policy global</P><P>prompt hostname context</P><P>Cryptochecksum:a5bec26d26a65c047c5106b595fc949c</P><P>: end</P><P></P><P> </P><P></P><P> </P><P></P><P> </P> Mon, 11 Mar 2019 15:33:39 GMT https://community.cisco.com/t5/network-security/asa-nat-issues/m-p/1220800#M841021 andypearce33 2019-03-11T15:33:39Z https://community.cisco.com/t5/network-security/asa-nat-issues/m-p/1220801#M841022 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>It looks like you are trying to allow inbound access to your server fixitserv1 correct. Your static NAT is correct however the access list needs to allow inbound access to the PUBLIC IP rather than to the private 192.X.X.X. You access list needs to be modified as below:</P><P></P><P>access-list ACLOUTSIDE extended permit tcp any host 203.222.69.26 eq smtp</P><P>access-list ACLOUTSIDE extended permit tcp any host 203.222.69.26 eq https</P><P>access-list ACLOUTSIDE extended permit tcp any host 203.222.69.26 eq ftp</P><P>access-list ACLOUTSIDE extended permit tcp any host 203.222.69.26 eq ftp-data</P><P>access-list ACLOUTSIDE extended permit tcp any host 203.222.69.26 eq www</P><P>access-list ACLOUTSIDE extended permit gre any any</P><P>access-list ACLOUTSIDE extended permit icmp any any echo-reply</P><P>access-list ACLOUTSIDE extended permit icmp any any echo </P><P></P><P>In regards to the ICMP part you might need to enable icmp inspection which is disabled by default on the global policy map</P><P></P><P>hostname(config)# policy-map global_policy </P><P></P><P>hostname(config-pmap)# class inspection_default</P><P></P><P>hostname(config-pmap-c)# inspect icmp </P><P>hostname(config-pmap-c)# inspect icmp error &lt;- you might not need this one</P><P>hostname(config-pmap-c)# exit</P><P></P><P>From enabled mode type clear xlate and test it again</P><P></P><P>I hope it helps .. please rate helpful posts </P><P></P><P></P><P></P><P></P></BODY></HTML> Tue, 19 May 2009 10:26:16 GMT https://community.cisco.com/t5/network-security/asa-nat-issues/m-p/1220801#M841022 Fernando_Meza 2009-05-19T10:26:16Z