04-13-2016 12:04 AM - edited 03-12-2019 12:36 AM
Hello,
My device Cisco ASA 5510, ASA 8.4(2), ASDM 6.4(5)206
What I try to achieve.
1) Host 10.10.11.108 listening port 8080
2) Trying to access it from WAN e.g port 8090
I tried following commands:
object network 10.10.11.108_8080
host 10.10.11.108
nat (LAN1,WAN) static interface service tcp 8080 8090
access-list WAN_access_in line 11 extended permit tcp any object 10.10.11.108_8080 eq 8080
access-group WAN_access_in in interface WAN
But I don't gett access. Can someone help me to solve this case?
Solved! Go to Solution.
04-20-2016 12:01 AM
Hi,
Please use the following command:
object service tcp-8090
service
object service tcp-8080
service tcp destination eq 8080
nat (inside,outside) 1 source static 10.10.11.108_8080 interface service tcp-8080 tcp-8090
Regards,
Aditya
04-20-2016 12:20 AM
Okay, these commands were successful. Right now I can not access my service by port 8090. Do I need to configure Access Rule also?
04-20-2016 12:25 AM
Hi,
Use a
packet-tracer input
Regards,
Aditya
04-20-2016 12:31 AM
04-20-2016 12:34 AM
Hi,
Please try opening the ACL on the WAN interface for the traffic.
Regards,
Aditya
04-20-2016 12:43 AM
Not sure which service to add, so added both. Packet tracker results are same.
04-21-2016 09:48 AM
Actually, Aditya provided wrong object group config for the 8090 group.
object service tcp-8090
service tcp source eq 8090
this should be service "tcp destination eq 8090"
try changing this and then test again.
--
Please remember to select a correct answer and rate helpful posts
04-21-2016 11:37 PM
Hello,
Deleted all previous and added new with tehese commands:
object service tcp-8090
service tcp destination eq 8090
object service tcp-8080
service tcp destination eq 8080
Nat (LAN1,WAN) 1 source static 10.10.11.108_8080 interface service tcp-8080 tcp-8090
Packet Tracker results are same:
04-22-2016 12:06 AM
The NAT now looks to be correct. Could you post a full running config please. remove any usernames, passwords and public IPs.
--
Please remember to select a correct answer and rate helpful posts
04-22-2016 12:57 AM
Here was running conf.
04-22-2016 12:57 AM
You access list should have a destination port of 8080 not 8090
access-list WAN_access_in extended permit object tcp-8090 any object 10.10.11.108_8080
--
Please remember to select a correct answer and rate helpful posts
04-22-2016 01:18 AM
Here was running conf.
04-22-2016 01:18 AM
try changing the ACL entry to:
access-list WAN_access_in extended permit tcp any object 10.10.11.108_8080 eq 8080
--
Please remember to select a correct answer and rate helpful posts
04-22-2016 03:44 AM
Hello,
Changed to your reccomendations. No change. I have read many forums and threads, but still no help.
04-22-2016 04:45 AM
Could you run the packet-tracer in CLI and paste the full output here please.
--
Please remember to select a correct answer and rate helpful posts
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: