cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
529
Views
0
Helpful
2
Replies

5505 - NAT/PAT

Antonio Simoes
Level 1
Level 1

Hi,

I´m have one http server on my inside switchport responding in por 8888 and I want it to be accessed from the out side.

Server inside: 192.168.15.1:8888

Outside IP: xx.xx.xx.66:100

Can any one tell me what i´m doing wrong, or dont doing?

ASA Version 8.2(5)

!

hostname PGC-PRC-B1-FW1

domain-name none.pt

!

interface Ethernet0/0

switchport access vlan 20

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

switchport access vlan 3

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.15.254 255.255.255.0

!

interface Vlan3

nameif dmz

security-level 70

ip address 192.168.70.254 255.255.255.0

!

interface Vlan20

nameif outside

security-level 0

ip address xx.xx.xx.66 255.255.255.252

!

ftp mode passive

dns server-group DefaultDNS

domain-name none.pt

access-list outside_access_in extended permit tcp any host xx.xx.xx.66 eq 8888

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.15.0 255.255.255.0

static (inside,outside) tcp interface 8888 192.168.15.1 8888 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.65 1

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.15.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username admin password f3UhLvUj1QsXsuK7 encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect rtsp

  inspect tftp

  inspect xdmcp

  inspect http

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect sqlnet

  inspect skinny

  inspect icmp

  inspect pptp

  inspect snmp

  inspect ipsec-pass-thru

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:3b2874c4515018df791845e3c57a2200

: end

K regards,

AS

1 Accepted Solution

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I understood that your server is listening on port TCP/8888 and you want to map that port to TCP/100 on the ASA that would be visible to the external network?

In that case the Static PAT configurations should be

static (inside,outside) tcp interface 100 192.168.15.1 8888 netmask 255.255.255.255

And ACL

access-list outside_access_in extended permit tcp any host xx.xx.xx.66 eq 100

You could then test it with "packet-tracer"

packet-tracer input outside tcp 1.1.1.1 12345 x.x.x.66 100

This should tell if there is any problems with the configurations

- Jouni

View solution in original post

2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I understood that your server is listening on port TCP/8888 and you want to map that port to TCP/100 on the ASA that would be visible to the external network?

In that case the Static PAT configurations should be

static (inside,outside) tcp interface 100 192.168.15.1 8888 netmask 255.255.255.255

And ACL

access-list outside_access_in extended permit tcp any host xx.xx.xx.66 eq 100

You could then test it with "packet-tracer"

packet-tracer input outside tcp 1.1.1.1 12345 x.x.x.66 100

This should tell if there is any problems with the configurations

- Jouni

Man,

I build traps to my self all the time. I had windows firewall also active(Because I use Mcfee).

So, every test I done it was allways blocked. In packet tracert CLI and ASDM every thing ok. But testing services in reality dont pass.

But now its solved.

Thank you man. you are allways saving me ass.

Best Regards,

AS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: