calvinz,

also according to your config, the device hostname you are trying to do NAT is "router" while the hostname for your ASA is "asa510-01". make sure you are working on the correct device. NAT commands work differently on ASA/Routers.

Francisco.

Sorry, here's the right config and it does have backup as a interface.

here's the current config file.

!

ASA Version 8.0(3)

!

hostname asa510-01

domain-name corp.com

enable password xxxxxxxxxxxx encrypted

names

!

interface Ethernet0/0

nameif backup

security-level 0

ip address 214.x.x.114 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.20.1.254 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

domain-name corp.com

access-list outside_1_cryptomap extended permit ip 10.20.1.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list inside_nat0_outbound extended permit ip 10.20.1.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list outside_access_in remark allow public to http

access-list outside_access_in extended permit tcp any host 214.24.29.115 eq www

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

logging host inside 10.1.xx.xx

mtu outside 1500

mtu inside 1500

ip verify reverse-path interface inside

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

arp timeout 14400

global (backup) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 10.20.1.0 255.255.255.0

static (inside,backup) 214.24.29.115 10.20.1.10 netmask 255.255.255.255

access-group outside_access_in in interface backup

route backup 0.0.0.0 0.0.0.0 214.24.29.113 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa-server LIST1 protocol tacacs+

key xxxxxxxxx

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa accounting enable console LIST1

http server enable

http 10.20.10.0 255.255.255.0 inside

http 207.40.115.253 255.255.255.255 backup

snmp-server host inside 10.1.11.45 community 1232344

snmp-server location xxxxxxxx

no snmp-server contact

snmp-server community 123cabaf3a

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 207.40.115.1

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface backup

crypto isakmp enable backup

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

console timeout 5

management-access inside

threat-detection basic-threat

threat-detection statistics

tunnel-group 207.40.115.1 type ipsec-l2l

tunnel-group 207.40.115.1 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect netbios

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect tftp

inspect xdmcp

inspect http

inspect icmp

inspect snmp

!

service-policy global_policy global

prompt hostname context

I'm in the correct router. I just forgot what I named the router.

I tried using backup as a interface and got this error:

asa510-01(config)# static (inside,backup) interface 10.20.0.20 netmask 255.255.255.255

WARNING: static redirecting all traffics at backup interface;

WARNING: all services terminating at backup interface are disabled.

So it seems like I might have to create a new interface or something?

then what adam suggested will work for you. have you tried it? does it work?

Francisco.

i think the reason why you have this problem is because you already have "global (backup) 1 interface". (Translating already using the outside interface for 10.20.1.0 255.255.255.0. try using another public ip for one-one static translation.

Is there anyway around it w/o having to have another public IP?

unless you use static with PAT.

Example below shows how to configure static PAT for an internal web server located at 192.168.10.10 The web client on the public network will connect to the server using the public IP address of the security appliance using the default web (TCP port 80)

static (inside,outside) tcp interface www 192.168.10.10 www netmask 255.255.255.255

thanks, i'll give that try. it seems like i'm talking to someone here that doesn't understand what they are asking. I'll check with the 3rd party on what they want. will keep you posted. thanks for the help..

i was able to put in a static nat with another public IP. thanks for your help.

I'm having a access issue. wonder if you guys can see if its being block somewhere else. i already wrote up a ACL for the access but it's still being denied. same router.

access-list outside_access_in line 11 extended permit tcp any 214.16.68.192 255.255.255.192 eq 3389 (hitcnt=0)

access-list outside_access_in line 12 extended permit tcp any 214.16.68.192 255.255.255.192 (hitcnt=0)

Deny tcp src backup:214.16.68.246/4225 dst inside:214.24.29.115/3389 by access-group "outside_access_in" [0x0, 0x0]

try

access-list outside_access_in extended permit tcp any host 214.16.68.192 eq 3389

Francsico