Hi, I got fallowing error message in attached files

I checked running config:

ASA Version 9.5(1)

access-list WAN-in extended permit tcp any host (inside ip) eq 1433

access-list outside-in extended permit tcp any host (inside ip) eq 1433

access-list wan-in extended permit tcp any host (inside ip) eq 1433

 

How I can delete these access list from config?

 

object network CSI-LAN host (inside ip)

object network CSI-WAN host (public ip)

 

interface GigabitEthernet0/0 nameif WAN

interface GigabitEthernet0/1 nameif LAN

 

This kind existing, should access list be this kind?

 

access-list WAN_access_in extended permit tcp any object SECUREMAIL eq https

To remove access list entries from the configuration in ASDM, just find the rule, select the rule and click delete at the top of the ASDM page (or just right click the rule and select delete.)

 

The access-group command failed because I forgot to include the name of the ACL in the command.  But if you already have an access-list in place then you do not need this command. You would just need to amend the access-list entry so it references the correct access-list.

 

The NAT statement failed as there is a syntax error in it.  You need to create a service object and refere to that for the service.  But it is better to do this through ASDM if you are not very comfortable with CLI.

Hi,

 

Would somebody be kind and send command to get this work.

Now i will tried with new ASA, to get this work.

 

ASA Inside: 192.168.1.1

ASA Outside: 84.50.160.82 (not real address).

SQL Server: 192.168.1.106 (gw 192.168.1.1)

 

SQL port 1433

SQL Client would be connection to 84.50.160.82.

Current config (only ip added)
ASA Version 9.6(1)
!
hostname ciscoasa
names

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 84.50.160.82 255.255.255.248
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip addres
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (any,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
route outside 0.0.0.0 0.0.0.0 84.50.160.81 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.1.10-192.168.1.20 inside
!
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d3557ef79fa29ea436850fa22156771e
: end

remove this NAT statement first:

object network obj_any
no nat (any,outside) dynamic interface

 

Then configure this (remember to replace IPs with real IPs, you can also change the object names if you like):

object network SQL_SERVER

  host 192.168.1.10

object network SQL_PUBLIC

  host 1.2.3.4

object service TCP_SQL

  service tcp source eq 1433

nat (inside,outside) source static SQL_SERVER SQL_PUBLIC service TCP_SQL

 

access-list outside_access_in extended permit tcp any host 192.168.1.10 eq 1433

access-group outside_access_in in interface outside

 

 

This ip 1.2.3.4 is public address.

In this configuration isp is giving only one ip, what is givent to outside interface. In config would this 1.2.3.4 be changed to 84.50.160.82

Then in the above configuration just replace SQL_PUBLIC with the keyword interface and replace the IP address in the SQL_SERVER objcet to the required IP.

So configuration is then:

remove this NAT statement first:

object network obj_any
no nat (any,outside) dynamic interface



Then configure this (remember to replace IPs with real IPs, you can also change the object names if you like):

object network SQL_SERVER
host 192.168.1.106

object service TCP_SQL
service tcp source eq 1433

nat (inside,outside) source static SQL_SERVER interface service TCP_SQL

access-list outside_access_in extended permit tcp any host 192.168.1.106 eq 1433

access-group outside_access_in in interface outside

Is this correct then?

Just an explanation on removing the dynamic NAT.  You have two dynamic NAT on in Auto NAT and the other in after-auto. so for keeping the configuration tidy I suggest removing the dynamic NAT in the Auto NAT section.

 

Other than that, yes, this configuration looks correct.

Hopefully last one

nat (inside,outside) source static SQL_SERVER interface service TCP_SQL
ERROR: % Incomplete command

Just an FYI you can use the "?" (without quotes) in CLI to see what is missing at the end of the command. 

 

You might need to add andother TCP_SQL at the end.

nat (inside,outside) source static SQL_SERVER interface service TCP_SQL TCP_SQL