01-30-2019 12:33 PM - edited 02-21-2020 08:43 AM
I have an old cisco pix 515 v8.0(4) that I want to swap out with an asa 5510 v9.1(5) device. But I think I'm having problems getting either the ACL and NAT to work. And I'm trying to understand this conversion better. Because I'm doing something wrong.
For example.
I have an IP that will go to a web server behind the firewall.
Outside IP Example: 1.2.3.4
Ports: 80 & 443
Inside server IP example: 4.3.2.1
Name: Server03
On the pix the config looks like:
name 4.3.2.1 Server03
access-list Outside_access_in remark Server03 WebsiteHTTP
access-list Outside_access_in extended permit tcp any host 1.2.3.4 eq www
access-list Outside_access_in remark Server03 3rd WebsiteHTTPS
access-list Outside_access_in extended permit tcp any host 1.2.3.4 eq https
static (inside,Outside) tcp 1.2.3.4 www Server03 www netmask 255.255.255.255 static (inside,Outside) tcp 1.2.3.4 https Server03 https netmask 255.255.255.255
What should this look like for the ASA 5510 V9.1?
01-30-2019 03:43 PM
if this is a spare public ip you have than
!
object-group service TCP_PORT
service-object tcp source eq 80
service-object tcp source eq 443
!
object network INSIDE-SERVER03
host 4.3.2.1
nat (inside,outside) source static 1.2.3.4
!
access-list OUT-IN exten permit object-group TCP_PORT any INSIDE-SERVER03
-------------------------------------------------------------------
AND if you are using the ASA outside interface to map the inside server
object network INSIDE-SERVER03
host 4.3.2.1
!
nat (inside,outside) source static INSIDE-SERVER03 interface
!
access-list OUT-IN exten permit object-group TCP_PORT any INSIDE-SERVER03
01-31-2019 07:56 AM
Yes we have several IP addresses that we use.
When I run this
!
object-group service TCP_PORT
service-object tcp source eq 80
service-object tcp source eq 443
!
object network INSIDE-SERVER03
host 4.3.2.1
nat (inside,outside) source static 1.2.3.4
!
access-list OUT-IN exten permit object-group TCP_PORT any INSIDE-SERVER03
I get.
Result of the command: "object network INSIDE-SERVER03"
The command has been sent to the device
Result of the command: "host 4.3.2.1"
The command has been sent to the device
Result of the command: "nat (inside,outside) source static 1.2.3.4"
nat (inside,outside) source static 1.2.3.4
ERROR: % Incomplete command
Result of the command: "access-list OUT-IN exten permit object-group TCP_PORT any INSIDE-SERVER03"
access-list OUT-IN exten permit object-group TCP_PORT any INSIDE-SERVER03
^
ERROR: % Invalid input detected at '^' marker.
02-01-2019 11:05 AM - edited 02-01-2019 11:08 AM
try this and sorry for the late reply
!
object-group protocol TCP
protocol-object tcp
!
object network INSIDE-SERVER03
host 4.3.2.1
nat (inside,outside) static 1.2.3.4
!
access-list OUT-IN exten permit object-group TCP any INSIDE-SERVER03 eq 80
access-list OUT-IN exten permit object-group TCP any INSIDE-SERVER03 eq 443
access-group OUT-IN in interface outside
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: