I have two DMZ on an ASA running 9.9 which use separate public IP to the LAN, and this all works fine, traffic from DMZ2 (10.3.3.0/24) is NAT'd to 220.127.116.11 etc - see attached diagram. What I'm having problems with is I now need to forward inbound traffic to 18.104.22.168 on tcp ports 80 & 443 to the server in DMZ2 (10.3.3.2), and the nat syntax for this is not accepting the commands I have used (I think!?!) in the past on ASA 8.4, which is the last two line in red.
Config snippet below:
object network obj-dmz1-wan
object network obj-dmz1-lan
subnet 10.2.2.0 255.255.255.0
nat (dmz1,outside) dynamic obj-dmz1-wan
object network obj-dmz2-wan
object network obj-dmz2-lan
subnet 10.3.3.0 255.255.255.0
nat (dmz2,outside) dynamic obj-dmz2-wan
object network obj-dmz2-server
nat (dmz2,outside) static 22.214.171.124 service tcp 80 80
nat (dmz2,outside) static 126.96.36.199 service tcp 443 443
I have tried adding in a service object-group, but again the NAT syntax isn't as clear as I though:
object-group service obj-dmz2-ports
service-object tcp destination eq 80
service-object tcp destination eq 443
nat (dmz2,outside) source static obj-dmz2-wan interface service obj-dmz2-ports
Can someone help untangle this NAT syntax or link to guide, as I have been googling Cisco docs and searching forums for ages, and I just cannot see though what I'm doing wrong or find a config example!
Solved! Go to Solution.