ASA5520 config nat but also can not access inside webserver from outside

wudandong · ‎02-11-2009

Webserver Real Inside address: 192.168.0.100

Webserver static translation address: 999.25.160.166.

I can ping 999.25.160.166 from Internet and remote desktop access server 999.25.160.166 with port 3389 .

But I can not web access server 999.25.160.166, and I am sure web service in 999.25.160.166 is ok , i can web access server 192.168.0.100 inside .

My configuration :

ASA Version 7.2(4)

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 999.25.160.165 255.255.255.248

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.0.54 255.255.255.0

!

boot system disk0:/asa724--k8.bin

boot system disk0:/asa722-k8.bin

ftp mode passive

access-list inside_access_in extended permit ip host 192.168.0.100 any

access-list inside_access_in extended permit ip 192.168.0.0 255.255.0.0 192.169.0.0 255.255.0.0

access-list outside_access_in extended permit tcp any interface outside eq 3389

access-list outside_access_in extended permit tcp any interface outside eq telnet

access-list outside_access_in extended permit tcp any host 999.25.160.164 eq 81

access-list outside_access_in extended permit ip any host 999.25.160.166

pager lines 24

logging enable

logging asdm debugging

mtu outside 1500

mtu inside 1500

ip local pool vpnpool 10.1.2.100-10.1.2.200 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 192.168.1.1 3389 netmask 255.255.255.255

static (inside,outside) tcp 999.25.160.164 81 192.168.0.123 81 netmask 255.255.255.255

static (inside,outside) tcp interface telnet 192.168.0.55 telnet netmask 255.255.255.255

static (inside,outside) 999.25.160.166 192.168.0.100 netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 999.25.160.161 1

route inside 192.168.0.0 255.255.0.0 192.168.0.55 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

http 192.168.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 192.169.0.0 255.255.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 192.168.0.0 255.255.0.0 inside

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:1a6af5c66c9acecc9921e4af8c237e53

: end

Thanks for Any suggestion.

Jithesh K Joy · ‎02-11-2009

Hi,

Your NAting& access-list are good.

Please add http inspection to the policy-map global_policy.

policy-map global_policy

class inspection_default

inspect http

Regards

Jithesh