Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
351
Views
0
Helpful
2
Replies

ASA 5515-X NAT Issue

Go to solution
tuckyb
Level 1
Level 1

‎04-13-2015 01:41 PM - edited ‎03-11-2019 10:46 PM

Hello experts,

I'm having an issue with accessing an internal server from behind an ASA 5515-X running version 9.1(2).  Not too familiar with this new OS (came from PIX 515E).   I've tried reading posts here etc.. and still no go...  Perhaps, I am missing something here.  Here's my current config:

asa# sh run
: Saved
:
ASA Version 9.1(2)
!
hostname asa
enable password ***************** encrypted
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address XX.XX.XX.XXX XXX.XXX.XXX.XXX
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network WinserverR2
 host 10.1.1.2
access-list outside_access_in extended permit tcp any object WinserverR2 eq 9900
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network WinserverR2
 nat (any,outside) static interface service tcp 9900 9900
!
nat (any,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 12.34.56.17 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http server idle-timeout 30
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 45
ssh 10.1.1.0 255.255.255.0 inside
ssh timeout 30
ssh key-exchange group dh-group1-sha1
console timeout 15
management-access management
dhcpd address 192.168.1.100-192.168.1.150 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server XXX.X.XX.XX source outside prefer
username admin password *************** encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect esmtp
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email XXXXXXXXX
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 22
  subscribe-to-alert-group configuration periodic monthly 22
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXX
: end
asa1#

Thanks in advance.  Any help will be appreciated!!

Tuck

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
amchang
Cisco Employee
Cisco Employee

‎04-13-2015 04:03 PM

The original discussion has been modified to hide public ip address details.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
amchang
Cisco Employee
Cisco Employee

‎04-13-2015 04:03 PM

The original discussion has been modified to hide public ip address details.

0 Helpful

Go to solution
Andre Neethling
Level 4
Level 4

‎04-14-2015 12:40 PM

Hi. What are you experiencing when trying to connect? Can you post your "sh nat" output?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top