Solved: Re: Cant nat to internal webserver

david.trybalski53 · ‎11-06-2020

object network mgmt
nat (mgmt,outside) dynamic interface
object network web
nat (web,outside) dynamic interface
object network email
nat (email,outside) dynamic interface
object network home_net
nat (home_net,outside) dynamic interface
object network external
nat (web,outside) static webserver net-to-net service tcp www www

access-list outside_access_in extended permit tcp object external object webserver
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp object external object webserver eq www
access-list outside_access_in extended permit tcp any object external eq www

Aref Alsouqi · ‎11-09-2020

The network object (external) where the NAT rule is applied should be the object that includes the private IP address of your web server, and the network object webserver should be the one that includes your web server public IP.

object network external
nat (web,outside) static webserver net-to-net service tcp www www

Was the net-to-net keyword added intentionally? if not, please remove it keeping everything else on that line. Also, you don't need these rules:

access-list outside_access_in extended permit tcp object external object webserver
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp object external object webserver eq www

Finally, remove the NAT of the network object web if that is configured with the same host IP.

View solution in original post

balaji.bandi · ‎11-06-2020

we do not see any information related to the object of the web, what ASA model and code it was running.

can you post the below output :

#show run object

confirm from internally are you able to browse an internal web server?

general syntax will be :

object network web
host 10.10.10.10 <<-- this is your web server IP
nat (web,outside) dynamic interface

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

david.trybalski53 · ‎11-06-2020

object network mgmt
subnet 172.16.50.0 255.255.255.0
object network web
subnet 172.17.50.0 255.255.255.0
object network email
subnet 172.18.50.0 255.255.255.0
object network home_net
subnet 172.19.50.0 255.255.255.0
object network webserver
host 172.17.50.9
object network external
host <external_ip>

and yes internally i can get to the webserver.

david.trybalski53 · ‎11-06-2020

object network mgmt
subnet 172.16.50.0 255.255.255.0
object network web
subnet 172.17.50.0 255.255.255.0
object network email
subnet 172.18.50.0 255.255.255.0
object network home_net
subnet 172.19.50.0 255.255.255.0
object network webserver
host 172.17.50.9
object network external
host

MHM Cisco World · ‎11-06-2020

.....

david.trybalski53 · ‎11-06-2020

still unable to get to the webserver - i may not be understanding something.

ciscoasa(config)# packet-tracer input outside tcp 123.123.123.123 12345 <external_ip> 80

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (web,outside) source static external interface
Additional Information:
NAT divert to egress interface web
Untranslate <external_ip>/80 to <external_ip>/80

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any interface outside eq www
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (web,outside) source static external interface
Additional Information:
Static translate 123.123.123.123/12345 to 123.123.123.123/12345

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (web,outside) source static external interface
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 87626, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: web
output-status: up
output-line-status: up
Action: allow

ciscoasa(config)# sh run access-list
access-list outside_access_in extended permit tcp object external object webserver
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp object external object webserver eq www
access-list outside_access_in extended permit tcp any object external eq www
access-list IPS extended permit ip any any
ciscoasa(config)# sh run access-group
access-group outside_access_in in interface outside
ciscoasa(config)# sh run nat
nat (web,outside) source static webserver webserver
nat (web,outside) source static external interface
nat (web,outside) source static external external destination static webserver webserver
!
object network mgmt
nat (mgmt,outside) dynamic interface
object network web
nat (web,outside) dynamic interface
object network email
nat (email,outside) dynamic interface
object network home_net
nat (home_net,outside) dynamic interface

MHM Cisco World · ‎11-07-2020

there are many many NAT,
delete all and add the below

NAT

object network WebServer-external-ip

host "public ip of server"

!

object network WebServer

host "private ip of server"

nat (web,outside) static WebServer-external-ip service tcp www www

!

access-list outside_acl extended permit tcp any object external eq www

Note:- change name as you want .

Aref Alsouqi · ‎11-09-2020

The network object (external) where the NAT rule is applied should be the object that includes the private IP address of your web server, and the network object webserver should be the one that includes your web server public IP.

object network external
nat (web,outside) static webserver net-to-net service tcp www www

Was the net-to-net keyword added intentionally? if not, please remove it keeping everything else on that line. Also, you don't need these rules:

access-list outside_access_in extended permit tcp object external object webserver
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp object external object webserver eq www

Finally, remove the NAT of the network object web if that is configured with the same host IP.