Solved: Re: ASA5505 and NAT - Page 2

Eivind Jonassen · ‎12-07-2010

HI everyone,

I'm fairly new to the ASA box and I'm wondering how to setup nat on the ASA. I want to use HTTPS on the global IP to reach an inside IP which has the HTTPS server. I'm used to routers with ACL's and this is quite a transition.

Thanks,

Regards

Eivind

Kureli Sankar · ‎12-08-2010

object network TK-test

nat (inside,outside) static <local ip> service tcp https https ---> change this to public IP.

You need to change the local IP to the keyword "interface"

object network TK-test

nat (inside,outside) static interface service tcp https https

Test it out and let us know.

PS. ASDM listens on 443. I am not sure if you have "http server enable" command in there. If so you need to change the port.

-KS

Eivind Jonassen · ‎12-09-2010

Hi,

I did a factory default today. Configured everything from scratch and followed your gudie, and now I got everything up and running. Thank you for your help and quick responses.

Thanks,

Eivind

Eivind Jonassen · ‎12-08-2010

Got one step further;

4

Dec 08 2010

15:53:39

58370

443

Deny tcp src outside:/58370 dst inside:/443 by access-group "outside_access_in" [0x0, 0x0]

the access group has the following setup;

!

access-group outside_access_in in interface outside

Output from packet trace states;

Phase: 5

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

object network TK-test

nat (inside,outside) static interface service tcp https https

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Thanks,

Eivind

Kureli Sankar · ‎12-08-2010

Check asdm like i mentioned in my previous post.

-KS

Eivind Jonassen · ‎12-08-2010

I tried changing the ports to 5001 instead of 443, and the results are the same.

I did how ever have the http server enable command. So that would have messed things up..

Still stuck

Regards,

Eivind

Kureli Sankar · ‎12-08-2010

change the http server enable command to a diff. port

conf t

http server enable 9443

you can leave the nat line as it is.

Make sure the acl applied on the outside has the real/public IP of the server. If it still has a deny in the syslog try adding it as line 1

access-list outside-acl line 1 permit tcp any host i.i.i.i eq 443

and if that doesn't work pls. open a TAC case as we have gone back and forth many times and haven't gone very far with this.

-KS

ASA5505, ACL and NAT