Re: NAT for web server in DMZ

abob21 · ‎12-02-2017

Hello !

I am doing NAT lab in GNS3 with ASAv & trying to allow web server in "dmz" zone access from "outside" and "inside" zone by using "object nat". But both outside & inside failed access to DMZ's web server. The acls are already in place. I've attached my config as below, kindly advise me the points I'm missing..

#######################################################

ASAv/act/pri(config)# sh ip
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 DMZ 192.168.1.1 255.255.255.0 CONFIG
GigabitEthernet0/1 outside 172.16.32.1 255.255.255.0 CONFIG
GigabitEthernet0/2 inside 192.168.30.1 255.255.255.0 CONFIG
GigabitEthernet0/3 folink-1 10.1.1.1 255.255.255.252 unset
GigabitEthernet0/4 folink-2 10.2.2.1 255.255.255.252 unset

#######################################################

ASAv/act/pri(config)# sh run object
object network Inside-LAN
subnet 192.168.30.0 255.255.255.0
object network DMZ-Zone
subnet 192.168.1.0 255.255.255.0
object network Web-Public
host 172.16.32.100
object network Web-Internal
host 192.168.1.254

#############################################
ASAv/act/pri(config)# sh run | i DMZ-IN|OUTSIDE-IN
access-list OUTSIDE-IN extended permit tcp any host 192.168.1.254 eq 8080
access-list DMZ-IN extended permit icmp any any
access-list DMZ-IN extended permit tcp any host 192.168.1.254 eq 8080
access-group DMZ-IN in interface DMZ
access-group OUTSIDE-IN in interface outside

Regards,

Bob

abob21 · ‎12-02-2017

NAT details as below:

ASAv/act/pri# sh nat

Auto NAT Policies (Section 2)
1 (DMZ) to (outside) source static Web-Internal Web-Public service tcp 8080 8080
translate_hits = 0, untranslate_hits = 0

2 (DMZ) to (outside) source dynamic DMZ-Zone interface
translate_hits = 0, untranslate_hits = 0

3 (inside) to (outside) source dynamic Inside-LAN interface
translate_hits = 0, untranslate_hits = 0