https://community.cisco.com/t5/network-security/asa-and-nat/m-p/1044029#M895290 <P>Having some problems natting with my new ASA5505.</P><P>The firewall is protecting my home net and I have a personal web/mail server I like to give public access to.</P><P></P><P>I have dynamic natting configured for the desktops and one static nat for the server. Also I have a Access rule for https and smtp traffic. Still nothing passes to the server.</P><P>Also when I nat the server I get packet drops when clients are trying to access it. Even if they are all in the LAN and connected to the same switch so there should be no routing or going through the ASA. The NAT and ACL rules are as follows:</P><P>NAT policies on Interface outside:</P><P> match tcp outside host XX.XXX.XX.35 eq 443 inside any</P><P> static translation to 10.10.10.2/443</P><P> translate_hits = 0, untranslate_hits = 0</P><P></P><P>NAT policies on Interface inside:</P><P> match ip inside any outside any</P><P> dynamic translation to pool 1 (XX.XXX.XX.34 [Interface PAT])</P><P> translate_hits = 8, untranslate_hits = 0</P><P> match ip inside any inside any</P><P> dynamic translation to pool 1 (No matching global)</P><P> translate_hits = 0, untranslate_hits = 0</P><P> match ip inside any _internal_loopback any</P><P> dynamic translation to pool 1 (No matching global)</P><P> translate_hits = 0, untranslate_hits = 0</P><P>access-list OWA line 1 extended permit tcp any host XX.XX.XX.35 eq https (hitcnt=0) 0x342768d2</P><P>access-list OWA line 1 extended permit tcp any host XX.XXX.XX.35 eq smtp (hitcnt=0) 0xe2c18426</P><P></P> Mon, 11 Mar 2019 13:55:26 GMT mahellma 2019-03-11T13:55:26Z https://community.cisco.com/t5/network-security/asa-and-nat/m-p/1044029#M895290 <P>Having some problems natting with my new ASA5505.</P><P>The firewall is protecting my home net and I have a personal web/mail server I like to give public access to.</P><P></P><P>I have dynamic natting configured for the desktops and one static nat for the server. Also I have a Access rule for https and smtp traffic. Still nothing passes to the server.</P><P>Also when I nat the server I get packet drops when clients are trying to access it. Even if they are all in the LAN and connected to the same switch so there should be no routing or going through the ASA. The NAT and ACL rules are as follows:</P><P>NAT policies on Interface outside:</P><P> match tcp outside host XX.XXX.XX.35 eq 443 inside any</P><P> static translation to 10.10.10.2/443</P><P> translate_hits = 0, untranslate_hits = 0</P><P></P><P>NAT policies on Interface inside:</P><P> match ip inside any outside any</P><P> dynamic translation to pool 1 (XX.XXX.XX.34 [Interface PAT])</P><P> translate_hits = 8, untranslate_hits = 0</P><P> match ip inside any inside any</P><P> dynamic translation to pool 1 (No matching global)</P><P> translate_hits = 0, untranslate_hits = 0</P><P> match ip inside any _internal_loopback any</P><P> dynamic translation to pool 1 (No matching global)</P><P> translate_hits = 0, untranslate_hits = 0</P><P>access-list OWA line 1 extended permit tcp any host XX.XX.XX.35 eq https (hitcnt=0) 0x342768d2</P><P>access-list OWA line 1 extended permit tcp any host XX.XXX.XX.35 eq smtp (hitcnt=0) 0xe2c18426</P><P></P> Mon, 11 Mar 2019 13:55:26 GMT https://community.cisco.com/t5/network-security/asa-and-nat/m-p/1044029#M895290 mahellma 2019-03-11T13:55:26Z https://community.cisco.com/t5/network-security/asa-and-nat/m-p/1044030#M895292 <HTML><HEAD></HEAD><BODY><P>Mats-</P><P></P><P>Can you post the results from the following commands?</P><P></P><P>show run global</P><P>show run nat</P></BODY></HTML> Thu, 09 Oct 2008 19:43:00 GMT https://community.cisco.com/t5/network-security/asa-and-nat/m-p/1044030#M895292 Collin Clark 2008-10-09T19:43:00Z https://community.cisco.com/t5/network-security/asa-and-nat/m-p/1044031#M895294 <HTML><HEAD></HEAD><BODY><P>I got it working a little now. Apparently I can't have a dynamic nat and a static nat from the same subnet/interface.</P><P>So now I can access the external network with my admin machine and mail etc is dropping in to the server. Also I made a static outside,inside and inside,outside nat for the server.</P><P>Here is some info,</P><P>NAT policies on Interface inside:</P><P> match ip inside host 10.10.10.120 outside any</P><P> static translation to XX.XXX.XX.34</P><P>match ip inside host 10.10.10.2 outside any</P><P> static translation to XX.XXX.XX.35</P><P></P><P>NAT policies on Interface outside:</P><P> match ip outside host XX.XXX.XX.35 inside any</P><P> static translation to 10.10.10.2</P><P>===============================================</P><P>The Access lists</P><P>access-list outside_access_in line 1 extended permit tcp any host XX.XXX.XX.35 eq www</P><P>access-list outside_access_in line 1 extended permit tcp any host XX.XXX.XX.35 eq https</P><P>access-list outside_access_in line 1 extended permit tcp any host XX.XXX.XX.35 eq smtp</P><P></P><P>Now the problem is how do I get the rest of the 25-bit subnet to get out on the outside without adding a static route for each host?</P><P></P><P>And the info you asked for:</P><P>global (outside) 1 interface</P><P>cisco# show run nat</P><P>cisco#</P><P></P></BODY></HTML> Thu, 09 Oct 2008 19:57:04 GMT https://community.cisco.com/t5/network-security/asa-and-nat/m-p/1044031#M895294 mahellma 2008-10-09T19:57:04Z https://community.cisco.com/t5/network-security/asa-and-nat/m-p/1044032#M895295 <HTML><HEAD></HEAD><BODY><P>I'm confused by your NAT statements. Are you using MPF for NAT?</P><P></P><P>Here are some statements that should accomplish what you want-</P><P></P><P>nat 1 (inside) 0 0</P><P>static (inside,outside) tcp interface 25 [email server ip] 25 netmask 255.255.255.255</P><P>static (inside,outside) tcp interface 80 [web server ip] 80 netmask 255.255.255.255</P><P>static (inside,outside) tcp interface 443 [web server ip] 443 netmask 255.255.255.255</P></BODY></HTML> Thu, 09 Oct 2008 20:10:26 GMT https://community.cisco.com/t5/network-security/asa-and-nat/m-p/1044032#M895295 Collin Clark 2008-10-09T20:10:26Z https://community.cisco.com/t5/network-security/asa-and-nat/m-p/1044033#M895296 <HTML><HEAD></HEAD><BODY><P>Thanks I'll try that.</P><P>To be clear, my Cisco has an external IP XX.XXX.XX.34 and the external mail ip is XX.XXX.XX.35.</P><P>In your list is the IP part external or internal ips? And if external where do I define to which internal ip the traffic goes?</P><P>Also all http,https,smtp services are on the same internal server.</P></BODY></HTML> Thu, 09 Oct 2008 20:25:48 GMT https://community.cisco.com/t5/network-security/asa-and-nat/m-p/1044033#M895296 mahellma 2008-10-09T20:25:48Z https://community.cisco.com/t5/network-security/asa-and-nat/m-p/1044034#M895298 <HTML><HEAD></HEAD><BODY><P>The server in the static statement should be your internal IP. Since your interface IP is .34 and you want your services on .35, your statics would look like this (assume your server IP is 192.168.1.10):</P><P></P><P>static (inside,outside) tcp X.X.X.35 25 192.168.1.10 25 netmask 255.255.255.255</P><P>static (inside,outside) tcp X.X.X.35 80 192.168.1.10 80 netmask 255.255.255.255</P><P>static (inside,outside) tcp X.X.X.35 443 192.168.1.10 443 netmask 255.255.255.255 </P><P></P><P>The above is actually called port translation. If you want to (since you're going to one server), you can NAT the public IP to a private IP, all ports and protocols.</P><P></P><P>static (inside,outside) X.X.X.35 192.168.1.10 netmask 255.255.255.255</P></BODY></HTML> Thu, 09 Oct 2008 20:30:24 GMT https://community.cisco.com/t5/network-security/asa-and-nat/m-p/1044034#M895298 Collin Clark 2008-10-09T20:30:24Z https://community.cisco.com/t5/network-security/asa-and-nat/m-p/1044035#M895299 <HTML><HEAD></HEAD><BODY><P>Thank you!</P><P>Now that I see the commands and the diagrams in ASDM I also see what I did wrong.</P><P>Cisco has a different logic to it than Watchguard or Juniper and I'm used to them.</P><P>Thanks again for clarifying this.</P></BODY></HTML> Thu, 09 Oct 2008 20:44:23 GMT https://community.cisco.com/t5/network-security/asa-and-nat/m-p/1044035#M895299 mahellma 2008-10-09T20:44:23Z