Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
662
Views
0
Helpful
4
Replies

ASA 5506 NAT issues.

Go to solution
jm
Level 1
Level 1

‎02-19-2016 04:51 AM - edited ‎03-12-2019 12:21 AM

Hi there...

I have recently installed a 5506 at a customer WHO has two servers that needs NAT.

One of them is a web server on a DMZ and i have enabled NAT with a public ip on src: DMZ, dest.:OUTSIDE.

Also i have made two access rules that

  • allows OUTSIDE to access the webserver by http/https
  • allows webserver to access an INSIDE server on port 587.

it works.. well allmost. The web server cannot access the internet for some reason so i tried to make an access rule that

  • allows webserserver to access OUTSIDE on ip

object network Applikation
 host 192.168.2.2

object network Webshop
 host 192.168.253.2

access-list DMZ_access_in extended permit ip object Webshop interface outside
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_1 object Webshop object Applikation

...

object network Webshop
 nat (DMZ,outside) static <public IP>

I am new on Cisco (well its about 14 years since i had anything to do with them) so any explanations would be great.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to jm

‎02-19-2016 05:27 AM

Yes in that case before the line put in another line denying it access to the internal network.

So something like:

access-list DMZ_access_in extended permit ip object Webshop object application
access-list DMZ_access_in extended deny ip object Webshop 192.168.2.0 255.255.255.0
access-list DMZ_access_in extended permit ip object Webshop any

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎02-19-2016 05:19 AM

It sounds like you need something like:

access-list DMZ_access_in extended permit ip object Webshop any
0 Helpful

Go to solution
jm
Level 1
Level 1
In response to Philip D'Ath

‎02-19-2016 05:24 AM

Hi Philip and thanks.

Well i have tried that but it opens op for access to all. That Means my webserver also have access to the inside Network.

So i have to make deny rules on inside to block the things i dont want in there?

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to jm

‎02-19-2016 05:27 AM

Yes in that case before the line put in another line denying it access to the internal network.

So something like:

access-list DMZ_access_in extended permit ip object Webshop object application
access-list DMZ_access_in extended deny ip object Webshop 192.168.2.0 255.255.255.0
access-list DMZ_access_in extended permit ip object Webshop any
0 Helpful

Go to solution
jm
Level 1
Level 1
In response to Philip D'Ath

‎02-19-2016 05:52 AM

Thanks. That worked :)

Have a nice weekend.

Johnny

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card