cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

6146
Views
12
Helpful
20
Replies
Highlighted
Enthusiast

ASA5505, ACL and NAT

HI everyone,

I'm fairly new to the ASA box and I'm wondering how to setup nat on the ASA. I want to use HTTPS on the global IP to reach an inside IP which has the HTTPS server. I'm used to routers with ACL's and this is quite a transition.

Thanks,

Regards

Eivind

20 REPLIES 20
Highlighted

object network TK-test

nat (inside,outside) static <local ip> service tcp https https  ---> change this to public IP.

You need to change the local IP to the keyword "interface"

object network TK-test

nat (inside,outside) static interface service tcp https https

Test it out and let us know.

PS. ASDM listens on 443. I am not sure if you have "http server enable" command in there. If so you need to change the port.

-KS

Highlighted

Hi,

I did a factory default today. Configured everything from scratch and followed your gudie, and now I got everything up and running. Thank you for your help and quick responses.

Thanks,

Eivind

Highlighted
Enthusiast

Got one step further;

4Dec 08 201015:53:3958370443Deny tcp src outside:/58370 dst inside:/443 by access-group "outside_access_in" [0x0, 0x0]

the access group has the following setup;

!

access-group outside_access_in in interface outside

Output from packet trace states;

Phase: 5

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

object network TK-test

nat (inside,outside) static interface service tcp https https

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Thanks,

Eivind

Highlighted

Check asdm like i mentioned in my previous post.

-KS

Highlighted

I tried changing the ports to 5001 instead of 443, and the results are the same.

I did how ever have the http server enable command. So that would have messed things up..

Still stuck

Regards,

Eivind

Highlighted

change the http server enable command to a diff. port

conf t

http server enable 9443

you can leave the nat line as it is.

Make sure the acl applied on the outside has the real/public IP of the server. If it still has a deny in the syslog try adding it as line 1

access-list outside-acl line 1 permit tcp any host i.i.i.i eq 443

and if that doesn't work pls. open a TAC case as we have gone back and forth many times and haven't gone very far with this.

-KS

Content for Community-Ad