05-07-2013 11:23 PM - edited 03-11-2019 06:40 PM
i can't do it with ASDM and try to use command but still fail
nat (inside,outside) source static inside-10.18.20.162 4F-1.1.1.2
it is working fine for the above command if there is more than one public ip, in case 1.1.1.1 is for firewall interface public ip
if i have only one public ip and i would like to forward http traffic to my internal network
how can i use command to do that?
Solved! Go to Solution.
05-07-2013 11:35 PM
Hi,
You can use this configuration also to just forward the port TCP/80 to the "inside" device.
I presume that you are using the "outside" interface public IP address
object network SERVER
host 10.18.20.162
nat (inside,outside) static interface service tcp 80 80
access-list OUTSIDE-IN permit tcp any object SERVER eq 80
access-group OUTSIDE-IN in interface outside
This would configure a Network Object NAT that would use the public IP address of your ASA "outside" interface and forward the port TCP/80 to the internal host of 10.18.20.162 when connecting from the Internet. It also defines the ACL rule and attaches that ACL to the "outside" interface.
If you already have an ACL in place, then you naturally just add the rule to that ACL.
Hope this helps
Remember to mark the reply as the correct answer if it answered your question. And/or rate helpfull answers.
Ask more if needed
- Jouni
05-07-2013 11:47 PM
Hi,
You need to enter it under the "object network SERVER"
Both the "host" configuration line and the "nat" configuration lines are parameters of the "object network SERVER"
So the source address of the NAT and the actual NAT configuration are contained under the "object network SERVER"
- Jouni
05-07-2013 11:33 PM
it show this error when do in this way
object service http
service tcp source eq www object service http
service tcp source eq www
ASA5510(config)# nat (inside,outside) source static inside-10.18.20.162 4F-1.1.1.1 service http http
ERROR: Address 1.1.1.1 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded
05-07-2013 11:35 PM
Hi,
You can use this configuration also to just forward the port TCP/80 to the "inside" device.
I presume that you are using the "outside" interface public IP address
object network SERVER
host 10.18.20.162
nat (inside,outside) static interface service tcp 80 80
access-list OUTSIDE-IN permit tcp any object SERVER eq 80
access-group OUTSIDE-IN in interface outside
This would configure a Network Object NAT that would use the public IP address of your ASA "outside" interface and forward the port TCP/80 to the internal host of 10.18.20.162 when connecting from the Internet. It also defines the ACL rule and attaches that ACL to the "outside" interface.
If you already have an ACL in place, then you naturally just add the rule to that ACL.
Hope this helps
Remember to mark the reply as the correct answer if it answered your question. And/or rate helpfull answers.
Ask more if needed
- Jouni
05-07-2013 11:43 PM
THX Jouni
when i try to input this command it reject with and error
ASA5510(config)# ASA5510(config)# nat (inside,outside) source static interface service tcp 80 80
^
ERROR: % Invalid input detected at '^' marker.
ASA5510(config)#
05-07-2013 11:47 PM
Hi,
You need to enter it under the "object network SERVER"
Both the "host" configuration line and the "nat" configuration lines are parameters of the "object network SERVER"
So the source address of the NAT and the actual NAT configuration are contained under the "object network SERVER"
- Jouni
05-08-2013 12:07 AM
thx so much, all command can input to the router, although is not allow to access to web server at the moment.
But i know how to create the rule through ASDM now. Thx so much
05-08-2013 12:10 AM
Hi,
If the reply answered your question, please mark it as the correct answer
- Jouni
05-08-2013 02:12 AM
Access to webserver finally, i find that the problem is come from one dynamic nat is before the static to make it crash.
05-08-2013 02:56 AM
Hi,
I tend to configure the Default Dynamic PAT rule for my LAN networks in the following way
object-group network DEFAULT-PAT-SOURCE
network-object 10.10.10.0 255.255.255.0
network-object 10.10.20.0 255.255.255.0
network-object 10.10.30.0 255.255.255.0
nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
The "object-group" contains all the networks that need Dynamic PAT. The source interface is "any" so we dont have to configure multiple Dynamic PAT statements.
This way it wont interfere with Static NAT, Static PAT, NAT0 or any other configurations.
Some people leave the "after-auto" part away which in turn means that the Dynamic PAT rule is way higher in the priority of NAT configurations to match against traffic THAN it is when its configured with the "after-auto" parameter
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide