Thanks for the assist Richard and Akshay,

I'm running Cisco Adaptive Security Appliance Software Version 9.5(1), Device Manager Version 7.5(1)

The syntax is different which is throwing.

Currently I have Nat as per attached image in the ASDM and CLI.  I have checked the packet tracer and I get green lights across the board.  It should work but I get something strange.  Image of my setup attached.

nat (outside,inside) source static any interface destination static NAS NAS service TEST TEST no-proxy-arp

Basically when I'm on the 172.16.5.0/24 network testing the NAT I cannot see on the logs nor do I get a successful packet  hit on port 8080 when using IP address 172.16.5.2 the ASA WAN interface.  However I do get successful access to http://172.16.4.10:8080 but I'm on the 172.16.5.0 network. I cant quite work out what is going on and I suspect something is re-writing the IP or the Router having a static-route is causing this.

Waiting for my smartnet contract to be finalised so going round in circles trying to work it out which is proving painful. 

Kindest Regards

David

Dave

I am not clear what syntax difference you are talking about. The example that I posted is based on an ASA running 9.5(1). So it ought to work for you.

I notice that your packet tracer is using 8080 as both source and destination port. That works fine in packet tracer but a packet from a real PC is almost certainly not going to use 8080 as the source port. If you have not yet changed service object TEST the way that we recommended then this is almost certainly part of your problem.

I can not tell which of our suggestions you may have followed and which you have not. Please post the current config (at least the relevant parts of it) so we can see what you are dealing with.

HTH

Rick

Hi Richard,

Ah I miss interpreted the location of the Nat.  When doing through the ASDM it creates a Nat in the general config an not under the object.

I tried to apply the config recommendation under the NAS object and I get an error.

Firewall(config-network-object)# nat (inside,outside) static 172.16.5.2 servic$
ERROR: Address 172.16.5.2 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

Firewall(config-network-object)#

The WAN port (Outside) is 172.16.5.2 not 172.16.5.1 (172.16.5.1 is the next hop to the internet)

Config attached

Thanks for looking.

Dave

Dave

I sympathize that the config approach is quite different in ASDM from what it is in CLI. But it should be possible to get the same result whichever way you approach it. I do have a couple of comments which I hope may be helpful.

I am glad to see that you have changed the service object TEST so that it now specifies only the destination port. I also see another service object configured that has multiple protocol ports but has specified the same value as source port and destination port. There are a couple of protocols that do use the same value for source port and destination port (NTP is the one that comes to mind) but very few other protocols do. So you might want to change that other service object.

I see that you are using 8080 as a protocol port in both TEST and the other service object. I can not tell how you intend to use the other service object. But I am concerned about 8080 appearing in both service objects. Especially if you will use 8080 as a static address translation it would not work for two hosts.

Also I see only the single address translation to PAT any inside address going out. I do not see any address translation for traffic from outside coming in which is what you need to be able to access this server from the outside.

HTH

Rick

Thanks Richard,

You are correct the other object has ports allocation as this is the Service Object I want to apply in the end however the TEST object is just to get it going.

The Nat is not present as I keep getting the error when trying to apply the suggested Nat as it keeps saying the rule overlaps with the outside interface address which is the outside address I want to actually use?

Firewall(config-network-object)# nat (inside,outside) static 172.16.5.1 service tcp 8080 8080

ERROR: Address 172.16.5.2 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

Firewall(config-network-object)#

Regards

Dave

OK so I've made a small breakthrough.  I had a static route on my router that had 172.16.4.0 via 172.16.5.2 (the ASA Wan port).  so when I was on the 172.16.5.0 network testing I was able to get to the 172.16.4.10 address via routing.  I remvoed the route from the router and I was no longer able to access the 172.16.4.10 server using the IP.

So from what I determine the ACL was allowing port 8080 and as there was no NAT the routing kicked in and allowed the traffic to 172.16.4.10. This was confusing he situation as I thought I was getting some sort of packet re-write of the IP.

Now that I have the route removed I now know that if I get Nat right I should have server access.  The ACL works as this was allowing the roouted traffic.  I still cannot get to teh server using the ASA Wan port 172.16.5.2:8080.

RESULT!

Well Richard you and Ashkay put me on the right path.  The config that works is:

object network NAS
host 172.16.4.10

object network NAS
nat (inside,outside) static interface net-to-net no-proxy-arp service tcp 8080 8080

Thanks as really helped me out.

Regards

David

I agree with Akshay that the Service Object needs to be changed. I thought about that in my original response but decided to focus on the problem with the address translation. In retrospect I should have mentioned both as issues since either one of them will prevent this implementation from working.

HTH

Rick