Solved: ASA5505, ACL and NAT

Eivind Jonassen · ‎12-07-2010

HI everyone,

I'm fairly new to the ASA box and I'm wondering how to setup nat on the ASA. I want to use HTTPS on the global IP to reach an inside IP which has the HTTPS server. I'm used to routers with ACL's and this is quite a transition.

Thanks,

Regards

Eivind

Kureli Sankar · ‎12-07-2010

Evi,

Here is the 8.2 NAT and ACL

static (inside,outside) 192.168.100.100 10.1.1.6 netmask 255.255.255.255

access-list outside-acl permit tcp any host 192.168.100.100 eq 80

access-group outside-acl in int outside

where 192.168.100.100 is the global / public IP

Here is the 8.3 NAT and ACL

 object network obj-10.1.1.6
   host 10.1.1.6
   nat (inside,outside) static 192.168.100.100

access-list outside-acl permit tcp any host 10.1.1.6 eq 80

access-group outside-acl in int outside

where 10.1.1.6 is the real IP or private IP of the webserver

if you are talking about 8.3, I'd suggest reading these excellent documents written by our team engineers on 8.3

All you need to know about 8.3 upgrade: https://supportforums.cisco.com/docs/DOC-12690

Before and after NAT config samples: https://supportforums.cisco.com/docs/DOC-9129

ASA 8.3 NAT video: https://supportforums.cisco.com/videos/1014

-KS

View solution in original post

Panos Kampanakis · ‎12-07-2010

In 8.2 and earlier it will look like

static (inside,outside) tcp  https  https

In 8.3

object network objectname

host

nat (inside,outside) static service tcp 443 443

I hope it helps.

PK

Eivind Jonassen · ‎12-07-2010

Thanks for your quick reply PK,

I managed this, but I think I've misunderstood the firewall setting... I've set the ACL to accept inbound traffic to the outside interface with source any and destination with service tcp/https, but it still get's blocked. Any idea?

I've read some more in the "book" and starting to wonder if I have to add a ACL rule to the inside interface as well?!?

Thanks,

Eivind

cadet alain · ‎12-07-2010

Hi,

If you're running 8.3 you must use real IP not global IP

Regards.

Don't forget to rate helpful posts.

Eivind Jonassen · ‎12-07-2010

ehmmm...

Maybe my english is not that good, but by global IP I meant "public IP"

Thanks,

Eivind

Panos Kampanakis · ‎12-07-2010

As cadetalain suggested, in 8.3 the ACL on the outside must allow traffic destined to the private/local ip of the server, not the global. Then it will work.

I hope it helps.

PK

Eivind Jonassen · ‎12-07-2010

OK,

Thanks you guys. What about v8.2? Is the ACL setup the same?

Panos Kampanakis · ‎12-07-2010

In 8.2 you use the global IP. That was a change between 8.2 and 8.3

PK

Kureli Sankar · ‎12-07-2010

Evi,

Here is the 8.2 NAT and ACL

static (inside,outside) 192.168.100.100 10.1.1.6 netmask 255.255.255.255

access-list outside-acl permit tcp any host 192.168.100.100 eq 80

access-group outside-acl in int outside

where 192.168.100.100 is the global / public IP

Here is the 8.3 NAT and ACL

 object network obj-10.1.1.6
   host 10.1.1.6
   nat (inside,outside) static 192.168.100.100

access-list outside-acl permit tcp any host 10.1.1.6 eq 80

access-group outside-acl in int outside

where 10.1.1.6 is the real IP or private IP of the webserver

if you are talking about 8.3, I'd suggest reading these excellent documents written by our team engineers on 8.3

All you need to know about 8.3 upgrade: https://supportforums.cisco.com/docs/DOC-12690

Before and after NAT config samples: https://supportforums.cisco.com/docs/DOC-9129

ASA 8.3 NAT video: https://supportforums.cisco.com/videos/1014

-KS

Eivind Jonassen · ‎12-08-2010

Hi,

Thanks, I got the natting working but I still get an ACL deny on the outside interface.

3

Dec 08 2010

14:17:49

46923

443

TCP access denied by ACL from /46923 to outside:/443

Any ideas???

Thanks,

Eivind

Kureli Sankar · ‎12-08-2010

Hmmm..Make sure that you do not have a typo in the IP public IP address.

Make sure there are no denies above the permit that you added for the public IP address.

Add the permit as line 1 and see if that works.

access-list outside-acl line 1 permit tcp any host p.p.p.p eq 443

where p.p.p.p is the public IP.

-KS

Eivind Jonassen · ‎12-08-2010

Hi,

I´m running 8.3 and I was told to use local IP address, not public. I tried both and it still didn´t work. Here´s my config;

object network TK-test

host

!

object network TK-test

nat (inside,outside) static service tcp https https

!

access-list outside_access_in extended permit tcp any object TK-test eq https

!

access-group outside_access_in in interface outside

!

Thanks,

Eivind

Kureli Sankar · ‎12-08-2010

You were told to use local IP only in the ACL with 8.3.

object network TK-test

nat (inside,outside) static <local ip> service tcp https https ---> change this to public IP.

Pls. follow the sample that I typed up for both 8.2 and 8.3.

-KS

Eivind Jonassen · ‎12-08-2010

Sorry about that,

Get the following error:

ERROR: Address overlaps with outside interface address.

ERROR: NAT Policy is not downloaded

???

Thanks,

Eivind

Panos Kampanakis · ‎12-08-2010

If your global is the interface ip then

object network TK-test

nat (inside,outside) static interface service tcp https http

I hope it does it.

PK