12-07-2010 12:08 PM - last edited on 03-25-2019 05:45 PM by ciscomoderator
HI everyone,
I'm fairly new to the ASA box and I'm wondering how to setup nat on the ASA. I want to use HTTPS on the global IP to reach an inside IP which has the HTTPS server. I'm used to routers with ACL's and this is quite a transition.
Thanks,
Regards
Eivind
Solved! Go to Solution.
12-08-2010 06:43 AM
object network TK-test
nat (inside,outside) static <local ip> service tcp https https ---> change this to public IP.
You need to change the local IP to the keyword "interface"
object network TK-test
nat (inside,outside) static interface service tcp https https
Test it out and let us know.
PS. ASDM listens on 443. I am not sure if you have "http server enable" command in there. If so you need to change the port.
-KS
12-09-2010 12:54 AM
Hi,
I did a factory default today. Configured everything from scratch and followed your gudie, and now I got everything up and running. Thank you for your help and quick responses.
Thanks,
Eivind
12-08-2010 06:56 AM
Got one step further;
4 | Dec 08 2010 | 15:53:39 | 58370 | 443 | Deny tcp src outside: |
the access group has the following setup;
!
access-group outside_access_in in interface outside
Output from packet trace states;
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network TK-test
nat (inside,outside) static interface service tcp https https
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Thanks,
Eivind
12-08-2010 07:05 AM
Check asdm like i mentioned in my previous post.
-KS
12-08-2010 07:19 AM
I tried changing the ports to 5001 instead of 443, and the results are the same.
I did how ever have the http server enable command. So that would have messed things up..
Still stuck
Regards,
Eivind
12-08-2010 07:28 AM
change the http server enable command to a diff. port
conf t
http server enable 9443
you can leave the nat line as it is.
Make sure the acl applied on the outside has the real/public IP of the server. If it still has a deny in the syslog try adding it as line 1
access-list outside-acl line 1 permit tcp any host i.i.i.i eq 443
and if that doesn't work pls. open a TAC case as we have gone back and forth many times and haven't gone very far with this.
-KS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide