Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7766
Views
12
Helpful
20
Replies

ASA5505, ACL and NAT

Go to solution
Eivind Jonassen
Level 4
Level 4

‎12-07-2010 12:08 PM - last edited on ‎03-25-2019 05:45 PM by Community Manager

HI everyone,

I'm fairly new to the ASA box and I'm wondering how to setup nat on the ASA. I want to use HTTPS on the global IP to reach an inside IP which has the HTTPS server. I'm used to routers with ACL's and this is quite a transition.

Thanks,

Regards

Eivind

Labels:
0 Helpful
20 Replies 20

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to Panos Kampanakis

‎12-08-2010 06:43 AM

object network TK-test

nat (inside,outside) static <local ip> service tcp https https  ---> change this to public IP.

You need to change the local IP to the keyword "interface"

object network TK-test

nat (inside,outside) static interface service tcp https https

Test it out and let us know.

PS. ASDM listens on 443. I am not sure if you have "http server enable" command in there. If so you need to change the port.

-KS

0 Helpful

Go to solution
Eivind Jonassen
Level 4
Level 4
In response to Kureli Sankar

‎12-09-2010 12:54 AM

Hi,

I did a factory default today. Configured everything from scratch and followed your gudie, and now I got everything up and running. Thank you for your help and quick responses.

Thanks,

Eivind

0 Helpful

Go to solution
Eivind Jonassen
Level 4
Level 4

‎12-08-2010 06:56 AM

Got one step further;

4Dec 08 201015:53:3958370443Deny tcp src outside:/58370 dst inside:/443 by access-group "outside_access_in" [0x0, 0x0]

the access group has the following setup;

!

access-group outside_access_in in interface outside

Output from packet trace states;

Phase: 5

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

object network TK-test

nat (inside,outside) static interface service tcp https https

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Thanks,

Eivind

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to Eivind Jonassen

‎12-08-2010 07:05 AM

Check asdm like i mentioned in my previous post.

-KS

0 Helpful

Go to solution
Eivind Jonassen
Level 4
Level 4
In response to Kureli Sankar

‎12-08-2010 07:19 AM

I tried changing the ports to 5001 instead of 443, and the results are the same.

I did how ever have the http server enable command. So that would have messed things up..

Still stuck

Regards,

Eivind

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to Eivind Jonassen

‎12-08-2010 07:28 AM

change the http server enable command to a diff. port

conf t

http server enable 9443

you can leave the nat line as it is.

Make sure the acl applied on the outside has the real/public IP of the server. If it still has a deny in the syslog try adding it as line 1

access-list outside-acl line 1 permit tcp any host i.i.i.i eq 443

and if that doesn't work pls. open a TAC case as we have gone back and forth many times and haven't gone very far with this.

-KS

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card