Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
657
Views
0
Helpful
4
Replies

ASA 8.2 static nat problem?

M.alzubaidy
Level 1
Level 1

‎12-21-2015 08:29 AM - edited ‎03-12-2019 12:03 AM

Hi all

I have two active and standby ASA 5520 V(8.2) when I trying to configure static NAT by

static (inside,outside) interface 172.16.1.156

it work properly, but when I use this command instead of first one

static (inside,outside) 212.126.122.45 172.16.1.156

it dose not work!! and I need it to use another public IP for another private server because I have many servers inside each server need public ip, so any suggestion please??

note :

1- my inside network (172.16.0.0/16) and outside (212.126.122.40/29)

2- attachment conftain show run for both my ASA

many thanks..

Labels:
Preview file
4 KB
Preview file
4 KB
0 Helpful
4 Replies 4

Philip D'Ath
VIP Alumni
VIP Alumni

‎12-21-2015 11:10 AM

Did you create a rule (on the outside interface) allowing traffic into 212.126.122.45?

0 Helpful

M.alzubaidy
Level 1
Level 1
In response to Philip D'Ath

‎12-21-2015 11:28 AM

many thanks for replying, yes I create that

access-list outside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any

access-group inside_access_in in interface inside
access-group outside_access_in in interface outside

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to M.alzubaidy

‎12-21-2015 11:35 AM

I don't think you have anything wrong.  Try the change again, and then maybe something like:

clear xlate

Also try waiting 10 minutes.  It smells like something has cached something.

If you do a "show arp | inc 212.126.122.45" it definitely comes back with nothing (meaning that the IP address is not in use), correct?

0 Helpful

Shivapramod M
Level 1
Level 1
In response to M.alzubaidy

‎12-21-2015 08:58 PM

Hi,

First you can try to take the packet tracer on the ASA to check whether the ASA is allowing the traffic or not.

packet-tracer input outside tcp <source IP> 12345 212.126.122.45 80 detail

If you do not see any error in this then you can take the capture on the outside and inside interface of the firewall to check whether traffic is passing through the firewall or not. This needs the actual traffic to test.

cap capin interface outside match tcp host <internet IP> host 212.126.122.45 eq 80
cap capout interface inside match tcp host <internet IP> host 172.16.1.156 eq 80

to view the capture output:

show cap capin

show cap capout


Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card