12-15-2012 05:59 AM - edited 03-11-2019 05:37 PM
HI
The network was simple like thie
lan-------------(gi 1)--asa5520--(gi 0)--------------wan
lan subnet is : 192.168.0.0/24
wan: only one ip address 1.1.1.1
The reqire was that: allow all lan hosts access to the internet .
there is a www server (192.168.1.10) in lan. Need it to serve for internet.
I config the asa like this:
interface gi 0
nameif outside
ip add 1.1.1.1 255.255.255.252
interface gi 1
nameif inside
ip add 192.168.1.1
object network lan_hosts
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) after-auto dynamic source interface
object networkd www_host
host 192.168.1.10
nat (inside,outside) static interface service tcp http http
after that, i access the http://1.1.1.1 from internet. BUT the port redirection wasn't work.
what's wrong .
can someone help me!
tks.
Solved! Go to Solution.
12-15-2012 06:05 AM
Hi,
Although I can't see anything wrong with the actual NAT configurations I would suggest the following for them
Default PAT for LAN
object-group network DEFAULT-PAT-LAN-SOURCE
network-object 192.168.1.0 255.255.255.0
nat (any,outside) after-auto source dynamic DEFAULT-PAT-LAN-SOURCE interface
Port Forward configurations you can leave them as is.
Have you opened the traffic with ACL also?
For example
access-list OUTSIDE-IN Remark Allow HTTP for Server
access-list OUTSIDE-IN permit tcp any object www_host eq www
access-group OUTSIDE-IN in interface outside
Please rate if you have found the information helpfull. Ask more questions if needed.
- Jouni
12-15-2012 06:05 AM
Hi,
Although I can't see anything wrong with the actual NAT configurations I would suggest the following for them
Default PAT for LAN
object-group network DEFAULT-PAT-LAN-SOURCE
network-object 192.168.1.0 255.255.255.0
nat (any,outside) after-auto source dynamic DEFAULT-PAT-LAN-SOURCE interface
Port Forward configurations you can leave them as is.
Have you opened the traffic with ACL also?
For example
access-list OUTSIDE-IN Remark Allow HTTP for Server
access-list OUTSIDE-IN permit tcp any object www_host eq www
access-group OUTSIDE-IN in interface outside
Please rate if you have found the information helpfull. Ask more questions if needed.
- Jouni
12-15-2012 07:25 AM
THANKS
I am a new guy form cisco asa firewall.
i forgot to add a access-list in outside .
now i have everything works fine.
12-15-2012 07:27 AM
No problem,
Please rate and mark the question as asnwered
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide