Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1836
Views
0
Helpful
35
Replies

Help with my first ASA config. (NAT/PAT)

Go to solution
jeffrey77
Level 1
Level 1

‎11-06-2013 10:38 AM - edited ‎03-11-2019 08:01 PM

I am trying to set up NAT/PAT for access to a webserver behind the ASA.  (Running 8.4)

I have a single Static IP on the outside interface (70.102.23.xxx) and I have a webserver with an IP of 192.168.0.1 and I need to make sure all http requests are sent to it.

I can do this in a IOS router pretty well, but in the ASA I seem to get turned around pretty easily.  I would like to do it via CLi but will accept help with doing it via ASDM as well.

I already have created an access list to allow the traffic to the webserver.

access-list outside_access_in extended permit udp any any eq www

access-list outside_access_in extended permit tcp any any eq www

Thanks in advance.

Jeffrey

Labels:
0 Helpful
35 Replies 35

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to jeffrey77

‎11-11-2013 03:24 PM

Hi,

We basically only see TCP SYN as indicated by the "S".

If this is all that is seen by the ASA then it means that the server is not replying or sending anything back to the ASA.

- Jouni

0 Helpful

Go to solution
jeffrey77
Level 1
Level 1
In response to Jouni Forss

‎11-11-2013 03:32 PM

So it is a issue with the server?

I also SSLVPN'd into the network and am not able to ssh into the box from there over 22 or 39124... I should be able to do so from the SSLVPON remote network of 100.100 correct?

0 Helpful

Go to solution
jeffrey77
Level 1
Level 1
In response to Jouni Forss

‎11-11-2013 03:48 PM

For testing purposes to see if it is responding on Port 22 How would I modify the NAT rul to send anything coming in on 39124 to be sent to the Server on port 22?

Would it be like this:

object network WEB-SERVER-TCP39214

nat (inside,outside) static interface service tcp 39124 22

?

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to jeffrey77

‎11-12-2013 12:31 AM

Hi,

The ports are the different way around

object network WEB-SERVER-TCP39214

  nat (inside,outside) static interface service tcp 22 39124

Real ports first and then the mapped port.

Also remember that you will need an ACL rule allowing traffic to the real port of TCP/22 instead of the mapped port. Just like it is with the IP address where we use the real IP address.

- Jouni

0 Helpful

Go to solution
jeffrey77
Level 1
Level 1
In response to jeffrey77

‎11-11-2013 08:29 AM

I think I see it. When I did the test i put in the Default Gateway and not the IP of the outside interface.

0 Helpful

Go to solution
jeffrey77
Level 1
Level 1
In response to Jouni Forss

‎11-08-2013 12:49 PM

Yes I do see it:

Gateway of last resort is 10.102.23.161 to network 0.0.0.0

Thanks again much!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card