Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3493
Views
0
Helpful
5
Replies

ASA 8.4.2 NAT Commands

Go to solution
klauskraner
Level 1
Level 1

‎07-14-2011 02:27 AM - edited ‎03-11-2019 01:58 PM

Hi,

I try to get a ASA with the new software 8.4.2 running.

On an old pix we had the nat command:

static (inside,outside) tcp interface www 192.168.15.252 www netmask 255.255.255.255 0 0

In all the new documents about 8.4.2 I can find that it should work with something like:

object network web_host

     nat (inside,outside) static interface service tcp www www

I want to forward http traffic from the outside interface to this host. In the log I just get entries about blocking ACL - but both is allowed on the outside access-list - traffic to the inside IP and also to the outside interface IP.

I also tried it with "Public Server" - but when I try to use the Interface address I just get the message: Address x.x.x.x overlaps with outside interface address.

Is it still possible to do port forwarding on the outside interface?

Thx.

Klaus

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
varrao
Level 10
Level 10

‎07-14-2011 02:40 AM

Hi Klaus,

The nat that you ahve is not fine, in version 8.4, you do static port forwarding just the way mentioned below:

object service tcp_80

   service tcp destination eq 80

object network web_host

   host

nat (outside,inside) source static any any destination static interface web_host service tcp_80 tcp_80

also the access-list would be:

access-list outisde_access_in permit tcp any host eq 80

Please be aware that in 8.4 ACL, you use the real ip addresses of the machines, instead of public ip addresses.

Let me know if you ahve any further queries.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

0 Helpful
5 Replies 5

Go to solution
varrao
Level 10
Level 10

‎07-14-2011 02:40 AM

Hi Klaus,

The nat that you ahve is not fine, in version 8.4, you do static port forwarding just the way mentioned below:

object service tcp_80

   service tcp destination eq 80

object network web_host

   host

nat (outside,inside) source static any any destination static interface web_host service tcp_80 tcp_80

also the access-list would be:

access-list outisde_access_in permit tcp any host eq 80

Please be aware that in 8.4 ACL, you use the real ip addresses of the machines, instead of public ip addresses.

Let me know if you ahve any further queries.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Go to solution
klauskraner
Level 1
Level 1
In response to varrao

‎07-14-2011 03:41 AM

Hello,

thank you very much for your advice. The access on the outside interface and the forwarding to the inside host works fine.

But noow the access from inside to outside (to the word wide web) is not working anymore. I had another nat rule enabled:

nat (inside,outside) source dynamic inside_all interface

That was for all the hosts in the object inside_all for internet access.

I tried to activate that rule again after your rule - with ASDM but then I get a warning - Users may not be able to access any service enabled on the outside interface - is that the reason why it did not work. Is both possible?

Thank you very much.

Regards Klaus

----

Even there was the warning everything works - the port forwarding from the outside interface to the inside host and also the access from the inside host to the internet. Can I ignore the warning - I think there is a reason for it?

Regards Klaus

Nachricht geändert durch Klaus Kraner

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to klauskraner

‎07-14-2011 04:02 AM

Hi Klaus,

There is always an issue with natting to the outside interface, because the port number 80 on the outside interface is used up the server on the inside, but that should not hamper your internet access, because when a user on the inside accesses the internet, they woudl be patted to outside interface of the firewall on any random port between 1200-65535, so you would not face issue with the internet.

Which particular service are you not able to access on the internet, can you paste your config for a detailed look at it??

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Go to solution
klauskraner
Level 1
Level 1
In response to varrao

‎07-14-2011 07:40 AM

Hello Varun,

everything works fine. I was just confused by the message/warning but when it does noch influence the internet connectivity it's okay for me.

I tried to configure the asa with the CLI Reference from cisco and the nat command you used above is not in this CLI-Reference or Configuration Guide - maybe Cisco can update it.

Thank you very much once again for your help.

Regards Klaus

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to klauskraner

‎07-14-2011 07:43 AM

Hi Klaus,

Thats great..... Let me know if you need any help.

-Varun

Thanks,
Varun Rao
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card