01-30-2011 09:03 AM - edited 03-11-2019 12:42 PM
Community,
Running into an issue with configurating a ASA 5505 running ASA v8.3. I have a single IP address assigned to the outside interface and would like to leverage for our SBS that's connected to the inside. Every attempt seems to result in the inbound session being blocked by the ACL.
The outside IP is 208.1.1.1 and the SBS service is running on the inside with 192.168.1.10. I would like NAT inbound services for HTTPS and SMTP to be directed to the 192.168.1.10 SBS server on the same ports.
What am I doing wrong?
/jb
Solved! Go to Solution.
01-31-2011 06:01 PM
Hi,
I think the reason that the last NAT object replaces the previous one is because you cannot have more than one object with the same name.
You should be fine defining the configuration like this:
object network obj-192.168.1.10
host 192.168.1.10
object network obj-192.168.1.10-2
host 192.168.1.10
object network obj-192.168.1.10
nat (inside,outside) static interface service tcp 25 25
object network obj-192.168.1.10-2
nat (inside,outside) static interface service tcp 443 443
Federico.
01-30-2011 09:10 AM
Hi,
I think this configuration will do it for the translation:
object network obj-192.168.1.10
host 192.168.1.10
nat (inside,outside) static 208.1.1.1 service tcp www www
object network obj-192.168.1.10
host 192.168.1.10
nat (inside,outside) static 208.1.1.1 service tcp 25 25
Now, the ACL applied in the inbound direction to the outside interface should refer to the real IP, so for example:
access-list outside permit tcp any host 192.168.1.0 eq 80
access-list outside permit tcp any host 192.168.1.0 eq 25
Hope it helps.
Federico.
01-30-2011 09:26 AM
Thanks, but I have tried that and it keeps telling me it overlaps the outside interface.
> object network obj-192.168.1.10
> host 192.168.1.10
> nat (inside,outside) static 208.1.1.1 service tcp smtp smtp
ERROR: Address 208.1.1.1 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded
It's got to be possible to leverage the single outside IP.
/jb
01-30-2011 09:44 AM
Fixed the overlap issue by leveraging the interface command. But I am still being blocked by the policy, which makes no sense.
/jb
01-30-2011 09:46 AM
So, you got the NAT working, can you paste the ACL in question?
Federico.
01-30-2011 10:55 AM
Here's my configuration, hopefully you can advise as where I am making my mistake:
01-30-2011 10:58 AM
These lines:
access-list outside extended permit tcp any host 192.168.1.10 eq https
access-list outside extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.1.10
access-list outside extended permit tcp any host 192.168.1.10 eq smtp
Should read:
access-list outside_access_in extended permit tcp any host 192.168.1.10 eq https
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.1.10
access-list outside_access_in extended permit tcp any host 192.168.1.10 eq smtp
Kindly rate helpful posts :-)
Federico.
01-30-2011 04:46 PM
I am getting closer, but still having an issue. When I attempt to make an inbound HTTPS
session, I see this in the SYSLOG messages:
4 | Jan 30 2011 | 19:45:29 | 75.194.178.56 | 57513 | 0.0.0.0 | 443 | Deny tcp src outside:75.194.178.56/57513 dst inside:0.0.0.0/443 by access-group "outside_access_in" [0x0, 0x0] |
Thoughts?
/jb
01-30-2011 06:01 PM
What about SMTP?
On the lates config I see only this:
object network obj-192.168.1.10
nat (inside,outside) static interface service tcp smtp smtp
But not this:
object network obj-192.168.1.10
nat (inside,outside) static interface service tcp https https
Federico.
01-31-2011 06:40 AM
You are correct, and I hadn't caught that one. But when I attempt to add the other protocols, it replaces the last one. So I must be doing something wrong.
/jb
01-31-2011 06:01 PM
Hi,
I think the reason that the last NAT object replaces the previous one is because you cannot have more than one object with the same name.
You should be fine defining the configuration like this:
object network obj-192.168.1.10
host 192.168.1.10
object network obj-192.168.1.10-2
host 192.168.1.10
object network obj-192.168.1.10
nat (inside,outside) static interface service tcp 25 25
object network obj-192.168.1.10-2
nat (inside,outside) static interface service tcp 443 443
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide