02-12-2017 09:57 AM - edited 03-12-2019 01:55 AM
Hi,
I've recently setup a ASA 5506-X as my main gateway device for my home LAN environment. Thanks to good oob settings on the ASA I managed to set up internet access for my home LAN quite easily but now I need to access my LAN from the outside as well. I'd like to access a web server running on my LAN but I can't seem to configure the correct acl and nat rule for that to happen. I'm confused :s
I've added a look-a-like setup which I found off the internet so the addresses aren't real but for the sake of this discussion, the addressing itself don't matter. I just need to know what am I doing wrong or what faulty logic am I applying?
- Addresses from the inside network are translated dynamically(PAT) to the outside interface.
- I did configure a static address on the ASA outside interface + added a static default route to the ISP modem/router.
- By default, the ASA allows any traffic (IP) from secure networks to less secure networks (outside), hence my internet connection works fine!
Now I need to allow access to the host (web server) on my LAN from the outside and after numerous attempts, I still can't get it working. I am aware that both my ISP router and the ASA are performing NAT. Therefore I configured the ISP router to do a port forward of any traffic - using destination port 80 (web server) - to forward it to the ASA outside interface ip address. From there on, I'm stuck.
Any help would be greatly appreciated!
Thanks in advance!
Solved! Go to Solution.
02-12-2017 03:15 PM
Do you have a sanitized config that you can attach to this thread?
The following guide should help you set up external access for web servers internal to the ASA:
http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/118996-config-asa-00.html#anc8
02-14-2017 04:32 AM
Try this:
nat (inside,outside) static interface service tcp 5001 5001
Also, you will need an ACL entry on the outside allowing inbound connections to host ip address on port 5001. ASA by default does not allow traffic from lower security (outside) to higher security (inside) without explicitly allowing it via ACL, or if it is a return traffic for inspected forward traffic.
This guide has the example for it:
http://www.petenetlive.com/KB/Article/0000077
02-12-2017 03:15 PM
Do you have a sanitized config that you can attach to this thread?
The following guide should help you set up external access for web servers internal to the ASA:
http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/118996-config-asa-00.html#anc8
02-13-2017 12:34 AM
Hello,
Thanks for reaching out. I had just found the same URL/information as well. I will give it a go and if it don't work from there, I'll post my config.
Thanks again!
Kristof
02-13-2017 11:44 AM
Hi,
After carefully reading the article provided I don't manage to get this working. I can't seem to translate my inside host's IP address to an outside address.
[ERROR] nat (inside,outside) static 192.168.0.254 service tcp 5001 5001
Address 192.168.0.254 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded
This error shows up each time I try to NAT (static,dynamic or PAT) my inside host's private address to the outside address.
As I stated earlier, I have a double NAT taking place because of the ISP modem/router's subnet being the 'private WAN SUBNET' in front of the ASA(outside interface). The attached config doesn't contain any NAT configuration because I wanted to start from a clean slate each time I tried some configuration. However, the above error and the config file provided should provide enough clues regarding the issue I'm facing.
Using the official configuration document you provided, I thought I would be able to pull it of by using the following part of the config guide:
Unfortunately this didn't work for me. I sincerely hope you can help me out because I'm in the dark here!
Thanks in advance!
Kristof
02-14-2017 04:32 AM
Try this:
nat (inside,outside) static interface service tcp 5001 5001
Also, you will need an ACL entry on the outside allowing inbound connections to host ip address on port 5001. ASA by default does not allow traffic from lower security (outside) to higher security (inside) without explicitly allowing it via ACL, or if it is a return traffic for inspected forward traffic.
This guide has the example for it:
http://www.petenetlive.com/KB/Article/0000077
02-14-2017 11:24 AM
Hello Rahul,
Thanks a lot, it works now. Like the article from petenetive.com says so peculiarly: "it confuses the hell out of a lot of people" :)
Even though I knew what to do on a conceptual level - and having worked on ASA professionally - I didn't have enough practice yet applying NAT rules on ASA. So, I'm very happy to have had this opportunity now and most likely many more educational situations to come!
Cheers!
Kristof
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide