Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
621
Views
0
Helpful
1
Replies

NAT not work in ASA 9.4(2)

cwhlaw2009
Level 1
Level 1

‎01-21-2016 11:00 AM - edited ‎02-21-2020 05:42 AM

My asa 5512 connect netgear switch gs724t and create two vlan, vlan2 connect web server, vlan3 connect switch. I can ping each device from internal. And then I test nat, I want to set  ISP_IP:443 from external can connect internal web_server_IP:443 and input ISP_IP:80 can connect internal switch_ip:80. But I can't. I googled and follow a lot of guide i still can't connect to my web_server and switch. This is my config. I don't know missing which step.

Result of the command: "show run"

: Saved

:
: Serial Number: XXXXXXXXXXXX
: Hardware: ASA5512, 4096 MB RAM, CPU Clarkdale 2792 MHz, 1 CPU (2 cores)
:
ASA Version 9.4(2)
!
hostname XXXXXXXXXXXX
enable password XXXXXXXXXXXX encrypted
xlate per-session permit tcp any4 any4
xlate per-session permit tcp any4 any6
xlate per-session permit tcp any6 any4
xlate per-session permit tcp any6 any6
xlate per-session permit udp any4 any4 eq domain
xlate per-session permit udp any4 any6 eq domain
xlate per-session permit udp any6 any4 eq domain
xlate per-session permit udp any6 any6 eq domain
names
ip local pool VPN_Pool XXXXXXXXXXXXXXXXXXXX mask XXXXXXXXXXX
!
interface GigabitEthernet0/0
nameif ISP1
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet0/1
nameif ISP2
security-level 0
ip address XXXXXXXXXXXX
!
interface GigabitEthernet0/2
nameif ISP3
security-level 0
ip address XXXXXXXXXXXXXXXX
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3.3
vlan 3
nameif vlan3
security-level 100
ip address 192.168.3.254 255.255.255.0
!
interface GigabitEthernet0/4
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4.2
vlan 2
nameif vlan2
security-level 100
ip address 172.16.3.254 255.255.252.0
!
interface GigabitEthernet0/5
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
no nameif
no security-level
no ip address
!
boot system disk0:/asa942-smp-k8.bin
ftp mode passive
clock timezone HKST 8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network XXXXXXXXXXXX
host XXXXXXXXXXXX
object service XXXXXXXXXXXX
service XXXXXXXXXXXX
object network XXXXXXXXXXXX
host XXXXXXXXXXXX
object network XXXXXXXXXXXX
subnet XXXXXXXXXXXX
object network vlan3
subnet 192.168.3.0 255.255.255.0
object network XXXXXXXXXXXX
subnet XXXXXXXXXXXX
object network XXXXXXXXXXXX
subnet XXXXXXXXXXXX
object network vlan2
subnet 172.16.0.0 255.255.252.0
object network XXXXXXXXXXXX
subnet XXXXXXXXXXXX
object service XXXXXXXXXXXX
service XXXXXXXXXXXX
object network XXXXXXXXXXXX
host XXXXXXXXXXXX
object network XXXXXXXXXXXX
subnet XXXXXXXXXXXX
object network XXXXXXXXXXXX
subnet XXXXXXXXXXXX
object network XXXXXXXXXXXX
subnet XXXXXXXXXXXX
object network web_http
host 172.16.3.250
object network switch3
host 192.168.3.253
access-list Local_LAN_Access standard permit host 0.0.0.0
access-list ISP1_access_in extended permit icmp any any
access-list ISP1_access_in extended permit tcp any object switch3 eq www
access-list ISP1_access_in extended permit tcp any object web_http eq https
access-list ISP1_access_in extended permit ip any any
access-list vlan3_access_in extended permit ip any any
access-list vlan2_access_in extended deny icmp any any
access-list vlan2_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu ISP1 1500
mtu vlan3 1500
mtu vlan2 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-752.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
no-proxy-arp route-lookup
!
object network obj_any
nat (vlan2,ISP1) dynamic interface
object network vlan3
nat (vlan3,ISP1) dynamic interface
object network web_http
nat (vlan2,ISP1) static interface service tcp https https
object network switch3
nat (vlan3,ISP1) static interface service tcp www www
access-group ISP1_access_in in interface ISP1
access-group vlan3_access_in in interface vlan3
access-group vlan2_access_in in interface vlan2
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface ISP1
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate XXXXXXXXXXXX
XXXXXXXXXXXX
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable ISP1
crypto ikev2 remote-access trustpoint XXXXXXXXXXXX
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access vlan3
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd lease 43200
dhcpd auto_config ISP1
!
dhcpd address XXXXXXXXXXXX vlan3
dhcpd enable vlan3
!
dhcpd address XXXXXXXXXXXX vlan2
dhcpd enable vlan2
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect image disk0:/anyconnect-win-4.2.00096-k9.pkg 1
anyconnect profiles Anyconnect_client_profile disk0:/Anyconnect_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
no error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
group-policy GroupPolicy_Anyconnect internal
group-policy GroupPolicy_Anyconnect attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelall
split-tunnel-network-list value Local_LAN_Access
default-domain none
split-tunnel-all-dns enable
webvpn
anyconnect profiles value Anyconnect_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username matrix password 4lqk0AlfYxE0RTdb encrypted
tunnel-group Anyconnect type remote-access
tunnel-group Anyconnect general-attributes
address-pool VPN_Pool
default-group-policy GroupPolicy_Anyconnect
tunnel-group Anyconnect webvpn-attributes
group-alias Anyconnect enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:XXXXXXXXXXXX
: end

0 Helpful
1 Reply 1

Syed Taukir
Level 1
Level 1

‎01-30-2016 08:04 AM

Hi

Check the packet-tracer output for 80 and 443

packet-tracer input inside tcp 1.1.1.1 12345 <ISP1 address> 80 detail

packet-tracer input inside tcp 1.1.1.1 12345 <ISP1 address> 443 detail

Click packet tracer document for more information.

If it doesn't work, you may add this nat statement and try

nat (vlan2,ISP1) source static web_http <ISP1 ip address>

Be sure to create an object network for ISP1 ip address.

HTH

Syed

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card