cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
295
Views
5
Helpful
2
Replies

ASA 5505 - STATIC NAT PROBLEM

Hi guys,

As you can see in the attached file i have a web server in dmz which has a real ip of 172.168.100.1 and a public ip 192.168.200.1 (let's assume that this is a public ip address for security reasons). All necessary configuration regarding natting and access-lists is in place.

 

From inside i can reach the web server and vice versa

From dmz i can reach the internet the weird thing is that if i try from a different internet line to ping 192.168.200.1 (web server's public ip) i can ping it without a problem but when i try to reach the web server via a browser i am receiving the timeout error.

 

If i change my access list entry  "access-list OUTSIDE-IN  extended permit tcp any host 192.168.200.1 eq 80" to the below

 "access-list OUTSIDE-IN  extended permit ip any any" 

I am able to access the web server.

i've checked the real time log viewer and when i am using the "access-list OUTSIDE-IN  extended permit tcp any host 192.168.200.1 eq 80"  i receive a deny tcp src outside ...by access-group OUTSIDE-IN.

 

What do you believe it's blocking the connection?

 

Best Regards 

 

Stelios

 

 

2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

Stelios

From the looks of your static statement you are running 8.3 or later code.

So in your acl you need to use the private IP of the server and not the the public IP.

Jon
 

Thanks a lot Jon, for assisted me solve this problem.

The weird thing that i can't undestand, is that the icmp was working without a problem using the above mentioned access-list however accesing the web server using www wasn't working.

How you explain that?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: