hi Dennis, thanks for the

Junnan Wu · ‎06-25-2017

Hi,

I'm trying to open a www service to the public, the topology is quite simple. i have only one public IP and ASA configuration is as below.

object network LAN_subnet

subnet 192.168.2.0 255.255.255.0

object network www_server

host 192.168.2.100 <<<<<<<< real ip of internal www server

object network LAN_subnet
nat (inside,outside) dynamic interface <<<<<< to enable intenral users to access internet

object network www_server
nat (inside,outside) static interface service tcp www www <<<<<< static nat with service port 80

access-list public_to_server extended permit tcp any object www_server eq www

access-group public_to_server in interface outside <<<< to allow the public to access internal www server

I'm not able to access the http server externally. but I can see the "show nat" untranslate_hits is increasing. anything I'm missing here ?

Dennis Mink · ‎06-25-2017

your access-list public_to_server is wrong, user are hitting your firewall on port 80 on the public IP address, not the internal/real IP address.

Please rate if useful

Please remember to rate useful posts, by clicking on the stars below.

Junnan Wu · ‎06-25-2017

hi Dennis, thanks for the reply.

That should not be an issue, the traffic should be translated first before hitting the ACL. so the internal server should be used.

Actually I did a test in lab environment using ASA 8.42, it works perfectly. the configuration is almost the same. the productoin env is using ASA 9.x, is that probably the cause?

ASA 5505, one public IP only, public server