07-14-2011 02:27 AM - edited 03-11-2019 01:58 PM
Hi,
I try to get a ASA with the new software 8.4.2 running.
On an old pix we had the nat command:
static (inside,outside) tcp interface www 192.168.15.252 www netmask 255.255.255.255 0 0
In all the new documents about 8.4.2 I can find that it should work with something like:
object network web_host
nat (inside,outside) static interface service tcp www www
I want to forward http traffic from the outside interface to this host. In the log I just get entries about blocking ACL - but both is allowed on the outside access-list - traffic to the inside IP and also to the outside interface IP.
I also tried it with "Public Server" - but when I try to use the Interface address I just get the message: Address x.x.x.x overlaps with outside interface address.
Is it still possible to do port forwarding on the outside interface?
Thx.
Klaus
Solved! Go to Solution.
07-14-2011 02:40 AM
Hi Klaus,
The nat that you ahve is not fine, in version 8.4, you do static port forwarding just the way mentioned below:
object service tcp_80
service tcp destination eq 80
object network web_host
host
nat (outside,inside) source static any any destination static interface web_host service tcp_80 tcp_80
also the access-list would be:
access-list outisde_access_in permit tcp any host
Please be aware that in 8.4 ACL, you use the real ip addresses of the machines, instead of public ip addresses.
Let me know if you ahve any further queries.
Thanks,
Varun
07-14-2011 02:40 AM
Hi Klaus,
The nat that you ahve is not fine, in version 8.4, you do static port forwarding just the way mentioned below:
object service tcp_80
service tcp destination eq 80
object network web_host
host
nat (outside,inside) source static any any destination static interface web_host service tcp_80 tcp_80
also the access-list would be:
access-list outisde_access_in permit tcp any host
Please be aware that in 8.4 ACL, you use the real ip addresses of the machines, instead of public ip addresses.
Let me know if you ahve any further queries.
Thanks,
Varun
07-14-2011 03:41 AM
Hello,
thank you very much for your advice. The access on the outside interface and the forwarding to the inside host works fine.
But noow the access from inside to outside (to the word wide web) is not working anymore. I had another nat rule enabled:
nat (inside,outside) source dynamic inside_all interface
That was for all the hosts in the object inside_all for internet access.
I tried to activate that rule again after your rule - with ASDM but then I get a warning - Users may not be able to access any service enabled on the outside interface - is that the reason why it did not work. Is both possible?
Thank you very much.
Regards Klaus
----
Even there was the warning everything works - the port forwarding from the outside interface to the inside host and also the access from the inside host to the internet. Can I ignore the warning - I think there is a reason for it?
Regards Klaus
Nachricht geändert durch Klaus Kraner
07-14-2011 04:02 AM
Hi Klaus,
There is always an issue with natting to the outside interface, because the port number 80 on the outside interface is used up the server on the inside, but that should not hamper your internet access, because when a user on the inside accesses the internet, they woudl be patted to outside interface of the firewall on any random port between 1200-65535, so you would not face issue with the internet.
Which particular service are you not able to access on the internet, can you paste your config for a detailed look at it??
Thanks,
Varun
07-14-2011 07:40 AM
Hello Varun,
everything works fine. I was just confused by the message/warning but when it does noch influence the internet connectivity it's okay for me.
I tried to configure the asa with the CLI Reference from cisco and the nat command you used above is not in this CLI-Reference or Configuration Guide - maybe Cisco can update it.
Thank you very much once again for your help.
Regards Klaus
07-14-2011 07:43 AM
Hi Klaus,
Thats great..... Let me know if you need any help.
-Varun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide