11-28-2011 04:43 AM - edited 03-11-2019 02:55 PM
according to this document I do port translation through CLI and I have following config:
ciscoasa# show run access-list
access-list local standard permit any
access-list outside_access_in extended permit tcp any object http-155
ciscoasa# show run access-group
access-group outside_access_in in interface inet
ciscoasa# show run nat
!
object network http-155
nat (local,inet) static interface service tcp www 5010
!
nat (local,inet) after-auto source dynamic any interface
ciscoasa#
host 192.168.100.155 has IIS running on itself and it gives plain HTML page
when I try to run packet-tracer from my ASA 5510 I recieve ALLOW on all stages and on Phase: 2 UN-NAT I recieve ALLOW and "
Untranslate A.B.C.D/5010 to 192.168.100.155/80" action (output in attachment)
then I check ports on port scanner it shows "5010 is opened"
BUT in browser I cant recieve HTML page from 192.168.100.155 when I try to achieve http://A.B.C.D:5010
Where is my mistake?
11-28-2011 07:19 AM
all trafic from interface local to interface inet walks without problems/ The security level of inet is 0. And of loal is 100. Because of it I haven`t add access rule in direction from local to inet. Is it right?
11-28-2011 07:55 AM
Hi,
for accessing a publicly natted service from inside by its natted IP address you have to do hairpinning otherwise you can also do dns doctoring by adding the dns keyword to your static PAT config then you access the service by FQDN from inside and the ASA will intercept the DNS reply from external DNS server and rewrite the public IP obtained to the private address from your static PAT entry.
Here are the links explaining the 2 concepts:
http://blogg.kvistofta.nu/cisco-asa-hairpinning/
Don't forget to inspect dns for the dns doctoring solution.
Regards.
Alain
11-28-2011 11:38 PM
I cant access my service from outside also. I`ve tryed to use different anonymouse services, but without success (
for example from http://anonymizer.nntime.com/)
My access and nat rules dont work
I`ve tryed to access http://A.B.C.D:5010
11-29-2011 12:57 AM
Hi,
do this:
(config)#access-list cap_inside extended permit tcp any any
(config)#access-list cap_outside extended permit tcp any any
#capture capin interface inside access-list cap_inside
#capture capout interface outside access-list cap_outside
try to access again from outside and do this and post results
#show capture capin
#show capture capout
Regards.
Alain
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide