10-04-2013 12:43 AM - edited 03-11-2019 07:47 PM
Hi,
I got the NAT problem setup in Ver 9.1(1).
object network outside-net
host 10.50.10.10
object network inside-net
host 192.168.1.10
nat (inside,outside) dynamic interface
object network www
host 192.168.1.10
nat (inside,outside) static outside-net service tcp 80 80
access-list acl-in permit ip any any
access-list acl-out permit ip any any
access-group acl-in in interface outside
access-group acl-out out interface inside
I can access internet from inside lan .
But the web server cant be accessed from internet.
The problem exist in ver 9.1 (1), but not in Ver 8.4.
Pls kindly help.
Thanks
Paul
10-04-2013 06:46 AM
Hi All,
Actually, I only want a simple configuration.
inside network = 192.168.1.0/24
outside network = 10.50.10.0/27
Inside all can access to the internet.
and we only have one web server inside = 192.168.1.10.
this can be done in ver8.x but not in 9.1(1).
pls help.
10-05-2013 07:38 PM
Hello Mw,
So here is the thing
Let's say the internal server will be 4.2.2.2 on the outside OK?
nat (inside,outside) after-auto dynamic any interface
object network Internal-Server
host 192.168.1.10
Object network Outside-Server
host 4.2.2.2
nat (inside,outside) source static Internal-Server Outside-Server
access-list out-in permit tcp any host 192.168.1.10 eq 80
access-group out-in in interface outside
That's it, a configuration from scratch for free Now remember to always rate the helpful posts hehe
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
10-06-2013 03:39 AM
Hi Julio,
Thanks for your reply. I'll try tmr and reply.
thx again
mw
10-06-2013 06:34 PM
Hi,
not work.
below is my config.
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.50.10.215 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.16.20.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
object network obj-172.16.20.21
host 172.16.20.21
object network obj-10.50.10.217
host 10.50.10.217
access-list acl-in extended permit udp any object obj-172.25.20.21
access-list acl-in extended permit tcp any host 172.25.20.21 eq www
pager lines 24
logging enable
logging console debugging
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static obj-172.25.20.21 obj-210.3.166.217
!
nat (inside,outside) after-auto source dynamic any interface
access-group acl-in in interface outside
route outside 0.0.0.0 0.0.0.0 10.50.10.193 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
<--- More --->
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 1
Cryptochecksum:d829d2da705abcd074c24febefa1b369
: end
pls help.
mw
10-05-2013 09:03 AM
10-06-2013 03:40 AM
Hi Paolo,
Thanks.
But where is the action panel?
mw
10-06-2013 11:37 PM
Hi mw,
nat (inside,outside) source static obj-172.25.20.21 obj-210.3.166.217 is wrong, no "obj-210.3.166.217" is seen from your posted configuration.
follow what jcarvaja mentioned to configure the static nat rule, it should work.
10-07-2013 02:28 AM
Thx for your reply Xie,
The obj-210.3.166.217 should be replaced by object network obj-10.50.10.217.
so, that rules also has an correct object.
but still does not work...........
the same config is work in ver 8.x.
thx
mw.
10-07-2013 04:05 PM
10-07-2013 08:50 PM
Hi,
thx for your reply.
However, I can go out to internet from inside by apply the following config:
ciscoasa(config)# sh run object
object network obj-172.16.20.21
host 172.16.20.21
object network obj-10.50.10.216
host 10.50.10.216
ciscoasa(config)# sh run nat
nat (outside,inside) source static obj-10.50.10.216 obj-172.16.20.21
!
nat (inside,outside) after-auto source dynamic any interface
ciscoasa(config)# sh run access-list
access-list outside_access_in extended permit icmp any object obj-10.50.10.216
access-list outside_access_in extended permit tcp any host 172.16.20.21 eq www
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
ciscoasa(config)# sh run access-group
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
But still cant access to the web server of the object obj-172.26.20.21.
I read the post before in the forum , I also issue the command "sysopt noproxyarp outside" but also in vain.
Pls help.
mw.
One more thing. I do packet tracer, there is no problem from inside to outside. But fail from outside to inside in the step nat rules........
10-08-2013 12:33 AM
Config looks fine.let me ask you are u trying to access website from ur inside network using a web browser ?
10-08-2013 02:58 AM
thx for your reply.
yes, I can access through browser and I can ping the domain , too. eg. ping www.yahoo.com......
10-08-2013 03:57 AM
Hi Lam,
Found this in your configuration
"no arp permit-nonconnected"
Try removing this by
"arp permit-nonconnected"
Let me know if it worked...
Cheers,
Naveen
10-08-2013 06:38 AM
alright, will try and let you know asap.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide