https://community.cisco.com/t5/network-security/asa-nat-issue/m-p/3337472#M969241 <P>But his flow don't make sense. Why on earth you would like to start a connection from the real IP do the NAT IP.</P> <P>&nbsp;This would cause a hair pinning situation.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>-If I helped you somehow, please, rate it as useful.-</P> Sun, 25 Feb 2018 20:36:26 GMT Flavio Miranda 2018-02-25T20:36:26Z https://community.cisco.com/t5/network-security/asa-nat-issue/m-p/3337395#M969156 <P>ASA Version 9.2(2)4</P> <P>I am having an issue creating NAT to my web server after following suggested sample from this link.</P> <P>Here is my config</P> <P>Webserver:192.168.16.28</P> <P>Public IP: 80.248.12.189</P> <P>&nbsp;</P> <P>object network Web<BR />host 192.168.16.28</P> <P>&nbsp;</P> <P>nat (inside,outside) static 80.248.12.189 service tcp 8080 8080</P> <P><BR />access-list outside-in extended permit IP any host 192.168.16.28</P> <P>access-group outside-in in interface outside</P> <P>&nbsp;</P> <P>I have another web server with similar config above which is working fine.</P> <P>&nbsp;</P> <P>Please help on this issue, i have tried different config to no avail</P> <P>&nbsp;</P> Fri, 21 Feb 2020 15:26:10 GMT https://community.cisco.com/t5/network-security/asa-nat-issue/m-p/3337395#M969156 olumidekolawole1 2020-02-21T15:26:10Z https://community.cisco.com/t5/network-security/asa-nat-issue/m-p/3337409#M969157 <P>Hi</P> <P>&nbsp;If you run a packet tracer what is the result?</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>-If I helped you somehow, please, rate it as useful.-</P> Sun, 25 Feb 2018 15:57:40 GMT https://community.cisco.com/t5/network-security/asa-nat-issue/m-p/3337409#M969157 Flavio Miranda 2018-02-25T15:57:40Z https://community.cisco.com/t5/network-security/asa-nat-issue/m-p/3337443#M969158 <P>Here is the result of packet tracer</P> <P>&nbsp;</P> <P>JEE-LAG# packet-tracer input inside tcp 80.248.12.189 8080 192.168.16.28 8080</P> <P>Phase: 1<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR />MAC Access list</P> <P>Phase: 2<BR />Type: ROUTE-LOOKUP<BR />Subtype: Resolve Egress Interface<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />in 192.168.16.0 255.255.255.0 inside</P> <P>Phase: 3<BR />Type: ACCESS-LIST<BR />Subtype: log<BR />Result: ALLOW<BR />Config:<BR />access-group inside-out in interface inside<BR />access-list inside-out extended permit ip any any<BR />Additional Information:</P> <P>Phase: 4<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P> <P>Phase: 5<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P> <P>Phase: 6<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P> <P>Phase: 7<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P> <P>Phase: 8<BR />Type: FLOW-CREATION<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />New flow created with id 6857867, packet dispatched to next module</P> <P>Result:<BR />input-interface: inside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: inside<BR />output-status: up<BR />output-line-status: up<BR />Action: allow</P> <P>JEE-LAG#</P> Sun, 25 Feb 2018 17:50:16 GMT https://community.cisco.com/t5/network-security/asa-nat-issue/m-p/3337443#M969158 olumidekolawole1 2018-02-25T17:50:16Z https://community.cisco.com/t5/network-security/asa-nat-issue/m-p/3337444#M969159 I have another web server using public IP 80.248.12.183 with similar config with this new one I am trying to create, also on port 8080. Is there any problem using port 8080 for another web server?<BR /> Sun, 25 Feb 2018 17:53:31 GMT https://community.cisco.com/t5/network-security/asa-nat-issue/m-p/3337444#M969159 olumidekolawole1 2018-02-25T17:53:31Z https://community.cisco.com/t5/network-security/asa-nat-issue/m-p/3337445#M969160 <P>Very sorry to border you.</P> <P>Since I am not with packet tracer command, I&nbsp;am sending you another one with the input being the internal address, thus the packet drop at the end of the result</P> <P>&nbsp;</P> <P>JEE-LAG# packet-tracer input inside tcp 192.168.16.28 8080 80.248.12.189 8080</P> <P>Phase: 1<BR />Type: ROUTE-LOOKUP<BR />Subtype: Resolve Egress Interface<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />in 80.248.12.128 255.255.255.192 outside</P> <P>Phase: 2<BR />Type: ACCESS-LIST<BR />Subtype: log<BR />Result: ALLOW<BR />Config:<BR />access-group inside-out in interface inside<BR />access-list inside-out extended permit ip any any<BR />Additional Information:</P> <P>Phase: 3<BR />Type: NAT<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />object network HR<BR />nat (inside,outside) static 80.248.12.189 service tcp 8080 8080<BR />Additional Information:<BR />Static translate 192.168.16.28/8080 to 80.248.12.189/8080</P> <P>Phase: 4<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P> <P>Phase: 5<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P> <P>Result:<BR />input-interface: inside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: outside<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (sp-security-failed) Slowpath security checks failed</P> <P>JEE-LAG#</P> Sun, 25 Feb 2018 18:01:57 GMT https://community.cisco.com/t5/network-security/asa-nat-issue/m-p/3337445#M969160 olumidekolawole1 2018-02-25T18:01:57Z https://community.cisco.com/t5/network-security/asa-nat-issue/m-p/3337449#M969161 <P>You can't.&nbsp; The firewall need to have different port externally in order to redirect correctly. Internally it is ok to have the same port.</P> <P>&nbsp;</P> <P>As per the Packet Tracer, everything looks ok in terms of config.</P> <P>&nbsp;</P> <P>-If I helped you somehow, please, rate it as useful.-</P> Sun, 25 Feb 2018 18:16:18 GMT https://community.cisco.com/t5/network-security/asa-nat-issue/m-p/3337449#M969161 Flavio Miranda 2018-02-25T18:16:18Z https://community.cisco.com/t5/network-security/asa-nat-issue/m-p/3337472#M969241 <P>But his flow don't make sense. Why on earth you would like to start a connection from the real IP do the NAT IP.</P> <P>&nbsp;This would cause a hair pinning situation.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>-If I helped you somehow, please, rate it as useful.-</P> Sun, 25 Feb 2018 20:36:26 GMT https://community.cisco.com/t5/network-security/asa-nat-issue/m-p/3337472#M969241 Flavio Miranda 2018-02-25T20:36:26Z