Thanks for the feedback, I will try as soon as I have the opportunity.

But please clear out this for me: when you write static (inside,outside), doesn't this reflect to the interfaces? Wouldn't it then be correct to instead write like static (ipvpn,outside)? Or does these terms reflect to something else?

Another thing: If I log in to the fw wia ssh, guess I have to go to regular config mode. Am I then supposed to insert the commands exactely like you wrote, or do I have to enter config-mode for the proper interface?

Regards //JE

You reference the interface name so your version is correct.

You do the configuration from regular config mode, it is nothing to do with the actual interface configuration.

Jon

Hi JE,

You are right, interfaces i mentioned are meant for understanding.you have to mention (ipvpn,outside) considering your internal host is behind ipvpn.

You have to write tham under global configuration mode conf t)#. It is not interface sub command.

Regards,

Akshay Rastogi

Ok guys, so.. now I've looked into this a little bit more.

I see that I should have been a little bit more precise with my interface-names in the beginning, so now I have adjusted these in the commands I have tried to execute.

To clarify:

My official outside-address: 70.70.70.70

Outside-if name: 9-outside

The if on which the host to be reached resides: 4-IPVPN

The host to be reached: 172.17.5.90 on the 4-IPVPN if

Intention: go to a web-browser, type in http://70.70.70.70:40000 to reach my inside host 172.17.5.90

What I then try to execute:

static (4-IPVPN,9-outside) tcp 70.70.70.70 40000 172.17.5.90 80 netmask 255.255.255.255

I get the message ERROR: Static PAT using the interface requires the use of the ‘interface’ keyword instead of the interface IP address.

Neither of the hosts is at the moment defined with ‘interface’-keywords, so how do I come around this? I see that the 4-IPVPN in the nat-syntax is written before the 9-outside, but the following is the other way around, can this be the reason? I Won’t experiment too much here, so I ask you guys instead.

Regards Jon

Hi Jon,

"ERROR: Static PAT using the interface requires the use of the ‘interface’ keyword instead of the interface IP address."

your public ip 70.70.70.70 is the IP address of your Outside interface that is why this error came. Therefore configure this :

static (4-IPVPN,9-outside) tcp interface 40000 172.17.5.90 80 netmask 255.255.255.255

Also do not forget to add access-list something like below(edit it accordinly)

access-list outside_in permit tcp any host 70.70.70.70 eq 40000

access-group outside_in in interface outside

Hope it helps.

Regards,

Akshay Rastogi

Hellog again Akshay :)

I did a little checking, and did

static (4-IPVPN,9-outside) tcp interface 40000 172.17.5.90 80 netmask 255.255.255.255

corresponding to what you said.

After that I entered

'access-list outside_access_in permit tcp any host 70.70.70.70 eq 40000'

(the access-group  'outside_access_in' - is already present in our system)

access-group outside_access_in in interface 9-outside

But i still can't reach my inside host on the designated port

Regards Jon

Hi Jon,

Run the below packet-tracer:

packet-tracer input 9-outside tcp 4.2.2.2 12345 70.70.70.70 40000 detail

Regards.

Akshay Rastogi

the cli-input had placed itself AFTER a drop-rule, so of course it didn't go through. After adjusting this , i get this result:

----

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (4-IPVPN,9-outside) tcp interface 40000 172.17.5.90 www netmask 255.255.255.255
nat-control
  match tcp 4-IPVPN host 172.17.5.90 eq 80 9-outside any
    static translation to 70.70.70.70/40000
    translate_hits = 0, untranslate_hits = 22
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x718e3ad8, priority=5, domain=host, deny=false
    hits=220, user_data=0x7189f588, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip=172.17.5.90, mask=255.255.255.255, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x71688e98, priority=0, domain=inspect-ip-options, deny=true
    hits=91585040, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip=0.0.0.0, mask=0.0.0.0, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1484302226, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: 9-outside
input-status: up
input-line-status: up
output-interface: 4-IPVPN
output-status: up
output-line-status: up
Action: allow

----

Then everything should be fine, but I still don't get to my host. The host -however - responds at port 80 from my inside!!!!???

Regards Jon

Hi,

Please share the complete output.

Also could you please check if you host is responding correctly?

Please take wireshark captures on your server and see if it is receiving your traffic.

Also take 'capture drop type asp-drop all' and see with 'show cap drop | in 172.17.5.90'. Check this when real traffic is flowing. 

Regards,

Akshay Rastogi

Regards Jon

Hello again Akshay.

I don't know if I was "too quick" to test when I changed the config; because now - when I get back to my desk - I try again, and IT WORKS!

I will ask you one more thing:

I have this wireless if; called 6-Public-Internet. I want this net (too) to be able to reach the same host (172.17.5.90). Is there anything more that should be done except making the access-list on 6-Public-Internet that says that that net can reach the host on port 80? Do I need Nat-exempt-rools in addition?

I have done this:

'access-list PublicInternet_access_in extended permit tcp 192.168.12.0 255.255.252.0 host 172.17.5.90 eq www'

By the way: What is the difference between extended and "only" permit?

Regards once again Jon

Hi Jon,

From the access-list, it looks like that the traffic behind wireless interface is private subnet 192.168.12.0 and you wish to access 172.17.5.90 on port 80 direclty to this ip (without nat). In that case yes , just add the access-list on the interface.

There is no difference between 'extended' and only permit. When you do not mention any thing then it automatically takes 'extended'. Usually this is to shown a difference between Standard access-list and Extended access-list.

Hope it answers your query,

Regards,

Akshay Rastogi

Remember to mark the answer as correct if it answers your queries and rate the helpful posts.