Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
798
Views
0
Helpful
2
Replies

Cisco ASA 5508x Trouble with NAT rules

tgillingham1991
Level 1
Level 1

‎09-18-2018 03:29 AM - edited ‎02-21-2020 08:15 AM

Hello All

I recently configured a cisco ASA5508x firewall at my workplace but can't work out an issue i'm having with the NAT rules. 

We have a couple of external IP addresses which I want to NAT to a couple of internal servers depending on the service. 

For example the way I currently have this set up is (different IPs):

 

object network Host_LDS-SV05_HTTP
nat (any,any) static IP_187-**-**-54 service tcp www www 


object network Host_LDS-SV05_SMTP
nat (any,any) static 187.**.**.51 service tcp smtp smtp 


object network Host_LDS-SV05_SSTP
nat (any,any) static IP_187-**-**-55 service tcp https https 

 

I've then created a access rule which allows outside traffic in to the network object Host_LDS-SV05 as long as the service is in the service group Host_LDS-SV05_Services_Allowed.

This doesn't work though. Is this the best way to do this? Any help will be much appreciated as I'm currently going round in circles. I've added a couple of screenshots of the access lists and NAT rules. Is there something obvious I'm missing. 

 

General internet traffic is working fine using the nat rule:

nat (inside,outside) after-auto source dynamic any interface. 

 

Many Thanks

Tristan

Preview file
21 KB
Preview file
71 KB
0 Helpful
2 Replies 2

Ajay Saini
Level 7
Level 7

‎09-18-2018 04:54 AM

Hello,

 

Can you please attach a packet-tracer output:

 

packet-tracer input outside tcp 4.2.2.2 3344 <public ip> <port> det

 

Also, make sure you have access-group configured.

Some syslogs would also help troubleshoot the issue.

 

HTH

AJ

0 Helpful

tgillingham1991
Level 1
Level 1
In response to Ajay Saini

‎09-21-2018 01:09 AM

Hi AJ

So this morning I ran the packet Tracer.

The results are a little confusing to me.

I've attached screenshots of the outputs. I had a look through the
access lists and smtp is allowed to host lds-sv10. I added a new rule
above the current access group to test and the packet trace ran fine
without giving any errors, but I was still unable to access the site.

Am I missing something on why the access groups wouldn't allow smtp
through? Do you have to set up a separate rule for each object nat or
can you just create a new object for the internal ip address just to
do the access-group?

Also is there anything which could be stopping access to the website
other than a wrongly configured nat or access rule as like I say the
packet tracer ran fine after I added the separate rule but still
wouldn't connect to the site...

Cheers in advance,
Tristan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card