Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1012
Views
0
Helpful
2
Replies

ASA 9.1 PAT port translation issue...

Go to solution
netguyz08
Level 1
Level 1

‎08-09-2015 12:09 AM - edited ‎03-11-2019 11:24 PM

NAT'ing external port 8080 to go to port 80 internally isn't working for me. Seems the auto/dynamic NAT statement for the server is working, and will just forward to port 80 when I try it, but not port 8080. Searched all over and it seems I have all of the needed components for what I am trying to do (and worked fine in 8.2).

But since the NAT statement is getting 0 hits, I'm thinking I might be missing a key statement for 9.1:

(1.1.1.1 = ext./public IP and 192.168.1.100 = internal IP)

object network srv1
 host 192.168.1.100
object network srv1_ext
 host 1.1.1.1
object network srv1-01
 host 192.168.1.100

access-list outside_access_in extended permit tcp any4 object srv1 eq 8080

object network srv1
 nat (inside,outside) static srv1_ext
object network obj_any
 nat (inside,outside) dynamic interface
object network srv1-01
 nat (inside,outside) static srv1_ext service tcp 8080 80

 

Even tried removing the "nat (inside,outside) static srv1_ext" statement in case that was getting hit first, and it didn't make a difference.

-Ed

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎08-09-2015 01:30 AM

The users on the Internet use port 8080 and your server is using port 80? Then your commands are wrong:

access-list outside_access_in permit tcp any4 object srv1 eq 80
!
object network srv1-01
 nat (inside,outside) static srv1_ext service tcp 80 8080

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Karsten Iwen
VIP
VIP

‎08-09-2015 01:30 AM

The users on the Internet use port 8080 and your server is using port 80? Then your commands are wrong:

access-list outside_access_in permit tcp any4 object srv1 eq 80
!
object network srv1-01
 nat (inside,outside) static srv1_ext service tcp 80 8080
0 Helpful

Go to solution
netguyz08
Level 1
Level 1
In response to Karsten Iwen

‎08-11-2015 10:22 AM

That did it, but I had started with the ports the way you described and it appeared that only port 80 was working...

What I *also* had to do was eliminate this NAT statement:

object network srv1
 nat (inside,outside) static srv1_ext

Otherwise it came before the other statement and allowed port 80 and 8080 would never work.

I eventually took that general NAT statement and refined to to the other service I wanted to allow for the server.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card