Solved: How to configure web server behind 1-to-1 NAT

chicagotech · ‎08-11-2014

In our Cisco ASA, we created 1-to-1 NAT (public ip x.x.x.174 and private ip 172.16.80.9). The Windows 2008 R2 web server using private IP 172.16.80.9 and default gateway 172.16.80.1 can access the Internet. But outside from the Internet can’t access the web server even the ports are open and we can access it internally. If I google my ip on the web server, it shows x.x.x.194 which is the outside interface of the Cisco ASA. That tells me the web server is connecting the Internet using private network default gateway 172.16.80.1 and public IP x.x.x.193 to outgoing and incoming. That is why outside people can’t access the web server. What’s the correct way to setup the web server TCP/IP to use the NAT?

nkarthikeyan · ‎08-11-2014

Hi,

If you have the proper rules set for the inbound from outiside world and if you have the proper static NAT configured for your web server ip in fw, then it should be okay for you....

See the below mentioned sample

Providing Access to an Inside Web Server (Static NAT)

The following example performs static NAT for an inside web server. The real address is on a private network, so a public address is required. Static NAT is necessary so hosts can initiate traffic to the web server at a fixed address. (See Figure 30-1).

Figure 30-1 Static NAT for an Inside Web Server

Step 1 Create a network object for the internal web server:

hostname(config)# object network myWebServ

Step 2 Define the web server address:

hostname(config-network-object)# host 10.1.2.27

Step 3 Configure static NAT for the object:

hostname(config-network-object)# nat (inside,outside) static 209.165.201.10

when you are going out, you are prefffered to go out via genric PAT, thats why you are seeing your ip as interface (PAT ip)....

do you have any after-auto statements in your config?

Regards

Karthik

View solution in original post

nkarthikeyan · ‎08-11-2014

Hi,

If you have the proper rules set for the inbound from outiside world and if you have the proper static NAT configured for your web server ip in fw, then it should be okay for you....

See the below mentioned sample

Providing Access to an Inside Web Server (Static NAT)

The following example performs static NAT for an inside web server. The real address is on a private network, so a public address is required. Static NAT is necessary so hosts can initiate traffic to the web server at a fixed address. (See Figure 30-1).

Figure 30-1 Static NAT for an Inside Web Server

Step 1 Create a network object for the internal web server:

hostname(config)# object network myWebServ

Step 2 Define the web server address:

hostname(config-network-object)# host 10.1.2.27

Step 3 Configure static NAT for the object:

hostname(config-network-object)# nat (inside,outside) static 209.165.201.10

when you are going out, you are prefffered to go out via genric PAT, thats why you are seeing your ip as interface (PAT ip)....

do you have any after-auto statements in your config?

Regards

Karthik

chicagotech · ‎08-12-2014

Thank you for the tip. The problem is I mis-configured the outside interface. Does the web server always uses the PAT to access the Internet?

nkarthikeyan · ‎08-12-2014

Hi,

Yeah in default scenario it does like that because of the prioritization of the rule. if you want you need to prioritize that to use the NAT while going out as well.....

But that is not to be worried until and unless you have a specific requirement.

Regards

Karthik