12-07-2010 12:08 PM - last edited on 03-25-2019 05:45 PM by ciscomoderator
HI everyone,
I'm fairly new to the ASA box and I'm wondering how to setup nat on the ASA. I want to use HTTPS on the global IP to reach an inside IP which has the HTTPS server. I'm used to routers with ACL's and this is quite a transition.
Thanks,
Regards
Eivind
Solved! Go to Solution.
12-07-2010 06:47 PM
Evi,
Here is the 8.2 NAT and ACL
static (inside,outside) 192.168.100.100 10.1.1.6 netmask 255.255.255.255
access-list outside-acl permit tcp any host 192.168.100.100 eq 80
access-group outside-acl in int outside
where 192.168.100.100 is the global / public IP
Here is the 8.3 NAT and ACL
object network obj-10.1.1.6
host 10.1.1.6
nat (inside,outside) static 192.168.100.100
access-list outside-acl permit tcp any host 10.1.1.6 eq 80
access-group outside-acl in int outside
where 10.1.1.6 is the real IP or private IP of the webserver
if you are talking about 8.3, I'd suggest reading these excellent documents written by our team engineers on 8.3
All you need to know about 8.3 upgrade: https://supportforums.cisco.com/docs/DOC-12690
Before and after NAT config samples: https://supportforums.cisco.com/docs/DOC-9129
ASA 8.3 NAT video: https://supportforums.cisco.com/videos/1014
-KS
12-07-2010 12:30 PM
In 8.2 and earlier it will look like
static (inside,outside) tcphttps https
In 8.3
object network objectname
host
nat (inside,outside) static
12-07-2010 12:44 PM
Thanks for your quick reply PK,
I managed this, but I think I've misunderstood the firewall setting... I've set the ACL to accept inbound traffic to the outside interface with source any and destination
I've read some more in the "book" and starting to wonder if I have to add a ACL rule to the inside interface as well?!?
Thanks,
Eivind
12-07-2010 12:47 PM
Hi,
If you're running 8.3 you must use real IP not global IP
Regards.
12-07-2010 12:49 PM
ehmmm...
Maybe my english is not that good, but by global IP I meant "public IP"
Thanks,
Eivind
12-07-2010 01:02 PM
As cadetalain suggested, in 8.3 the ACL on the outside must allow traffic destined to the private/local ip of the server, not the global. Then it will work.
I hope it helps.
PK
12-07-2010 01:11 PM
OK,
Thanks you guys. What about v8.2? Is the ACL setup the same?
12-07-2010 01:23 PM
In 8.2 you use the global IP. That was a change between 8.2 and 8.3
PK
12-07-2010 06:47 PM
Evi,
Here is the 8.2 NAT and ACL
static (inside,outside) 192.168.100.100 10.1.1.6 netmask 255.255.255.255
access-list outside-acl permit tcp any host 192.168.100.100 eq 80
access-group outside-acl in int outside
where 192.168.100.100 is the global / public IP
Here is the 8.3 NAT and ACL
object network obj-10.1.1.6
host 10.1.1.6
nat (inside,outside) static 192.168.100.100
access-list outside-acl permit tcp any host 10.1.1.6 eq 80
access-group outside-acl in int outside
where 10.1.1.6 is the real IP or private IP of the webserver
if you are talking about 8.3, I'd suggest reading these excellent documents written by our team engineers on 8.3
All you need to know about 8.3 upgrade: https://supportforums.cisco.com/docs/DOC-12690
Before and after NAT config samples: https://supportforums.cisco.com/docs/DOC-9129
ASA 8.3 NAT video: https://supportforums.cisco.com/videos/1014
-KS
12-08-2010 05:22 AM
Hi,
Thanks, I got the natting working but I still get an ACL deny on the outside interface.
3 | Dec 08 2010 | 14:17:49 | 46923 | 443 | TCP access denied by ACL from |
Any ideas???
Thanks,
Eivind
12-08-2010 05:31 AM
Hmmm..Make sure that you do not have a typo in the IP public IP address.
Make sure there are no denies above the permit that you added for the public IP address.
Add the permit as line 1 and see if that works.
access-list outside-acl line 1 permit tcp any host p.p.p.p eq 443
where p.p.p.p is the public IP.
-KS
12-08-2010 06:05 AM
Hi,
I´m running 8.3 and I was told to use local IP address, not public. I tried both and it still didn´t work. Here´s my config;
object network TK-test
host
!
object network TK-test
nat (inside,outside) static
!
!
access-list outside_access_in extended permit tcp any object TK-test eq https
!
access-group outside_access_in in interface outside
!
Thanks,
Eivind
12-08-2010 06:12 AM
You were told to use local IP only in the ACL with 8.3.
object network TK-test
nat (inside,outside) static <local ip> service tcp https https ---> change this to public IP.
Pls. follow the sample that I typed up for both 8.2 and 8.3.
-KS
12-08-2010 06:28 AM
Sorry about that,
Get the following error:
ERROR: Address
ERROR: NAT Policy is not downloaded
???
Thanks,
Eivind
12-08-2010 06:39 AM
If your global is the interface ip then
object network TK-test
nat (inside,outside) static interface service tcp https http
I hope it does it.
PK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide