09-24-2014 05:06 AM - edited 03-11-2019 09:49 PM
Heelo, need kindly advice
i`ve configured NAT rules as following:
object network HWebServer
host 10.43.1.11
description OutsideWebserver
object network HWebServer
nat (inside,outside) static interface service tcp 80 8087
then set access rules to allow 8087 port on outside interface.
but still, cannot open 10.43.1.11:8087 from internet side
what can be done to solve?
thanks in advance
Komil
09-24-2014 05:14 AM
Hi,
The NAT configurations is fine but the problem is with the ACL you have configured.
Since Cisco introduced the new NAT configuration format in the ASA Software versin 8.3 (and above) you have to allow traffic always to the real IP address and to the real port also.
Your problem seems to be that you have allowed traffic to the mapped port TCP/8087 and not the real port TCP/80.
So make a rule that allows port TCP/80 from the external network and then try again.
The reason why you need to allow connections to the real IP address and real port is because the ASA first does the UN-NAT for the destination address and port and after that it checks the interface ACL and since the UN-NAT has been done the destination in that case is the Real IP and the destination port the Real Port.
Hope this helps :)
- Jouni
09-24-2014 05:19 AM
Hi ,
Can you share me your access-list , have you defined real IP address on your access-list 10.43.1.11 for service port 80 .
HTH
Sandy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide