10-12-2010 09:39 AM - edited 03-11-2019 11:53 AM
I am facing a problem with the new ASA fw 8.3 , i am trying to create a port forward that would allow me to port forward from outside to the inside a specific port, but also NAT from the inside, all UDP + TCP established for internet access, but this new fw will not let me ...
I have the following setup
Internet -> ASA -> Server
Internet : http://www.mysite.com
ASA : Translate 190.0.0.1 to 10.0.0.1 from port 80 to port 8080 internal
Server : I have port 8080 open and i need also full UDP internet access throughout ip 190.0.0.1 , also all established TCP sessions must go through the ASA ..
I managed just to port forward the 8080 to 80 ...but when i try to add the dns service and all upd everything comes crashing... if i add the second object group it only accepts that one and drops my previous 8080 to 80 redirect...do i have to buy a router to do the job ?
object network mysite.com-80
host 10.0.0.1
object network mysite.com-dns
host 10.0.0.1
object network mysite.com-80
nat (inside,outside) static 190.0.0.1 service tcp 8080 www
object network mysite.com-dns
nat (inside,outside) static 190.0.0.1 service dns
help ?!
Solved! Go to Solution.
10-14-2010 07:20 AM
OK, keep the PAT rule and have your host belong to the dynamicnat config you have for the internal hosts going out
object network mysite.com-80
nat (inside,outside) static 190.0.0.1 service tcp 8080 www
object network
nat (inside,outside) dynamic interface
Then the host will be PATted when going out and PATter for the 8080 ports.
I hope it solves it now.
Panos
10-12-2010 09:48 AM
It should be
object network mysite.com-dns
nat (inside,outside) static 190.0.0.1 service udp dns dns
refer: https://supportforums.cisco.com/docs/DOC-9129
-KS
10-13-2010 12:30 PM
That did not work , after adding that line i still don't have ICMP/DNS ..and other services from the server to the outside ...basically only the port forward works , nat from inside-> outside fails
10-13-2010 01:20 PM
If you don't just want to PAT and you want to NAT (all ports for this host) inbound and outbound you will need
object network mysite.com-dns
nat (inside,outside) static 190.0.0.
Also, make sure your outside ACL permit traffic to the local ip of mysite.com-dns.
Let us know if helps.
PK
10-14-2010 07:07 AM
That does not fix my problem .
So to quickly review :
I have a webserver running on port 8080 that i want port forwarded to the external 80 port so the websites works, and in the same time have nat working so that the server has internet access via NAT . If i add that line nat (inside,outside) static 190.0.0. it only takes that one and ignores the port forward ...
I have the ACL permiting the local ip ...
10-14-2010 07:20 AM
OK, keep the PAT rule and have your host belong to the dynamicnat config you have for the internal hosts going out
object network mysite.com-80
nat (inside,outside) static 190.0.0.1 service tcp 8080 www
object network
nat (inside,outside) dynamic interface
Then the host will be PATted when going out and PATter for the 8080 ports.
I hope it solves it now.
Panos
10-14-2010 08:53 AM
Are you asking how you make the inside host look like190.0.0.1 when it goes out as well as do the PAT 8080 to 80. If so you need to have both as "manual nat". Make sure to add the PAT line before the static 1-1.
object network mysite.com-80
nat (inside,outside) static 190.0.0.1 service tcp 8080 www
object network mysite.com
nat (inside,outside) static 190.0.0.1
Make sure to creat an object mysite.com and have the same host inside it as the mysite.com-80 object.
-KS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide