Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2292
Views
3
Helpful
16
Replies

Need help accesing a server from the internet

ArieteCisco
Level 1
Level 1

‎09-18-2013 01:32 AM - edited ‎03-11-2019 07:40 PM

I have recently changed my PIX 500E for an ASA 5505 version 9.0(1) but in spite of all the reading about the new NAT commands and similar problems solved I haven't been able to give access to my http and ftp server from the internet. I think my configuration is OK but I must miss something because it doesn't work.

Could you please take a look to my configuration and point me what id wrong?

Thankyou

Gerardo

***************************************************************************************************

: Saved

:

ASA Version 9.0(1)

!

hostname ciscoasa1

enable password HK8DwXVw0PRo5n0D encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.240.1 255.255.255.128

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

object network my-inside-net

subnet 192.168.240.0 255.255.255.128

object network MyPublicIP

host xxx.xxx.xxx.xxx

object network FTP_PAT

host 192.168.240.19

object network WEB_PAT

host 192.168.240.19

object network NAT-DYN

subnet 192.168.240.0 255.255.255.128

access-list inside_access_in extended permit ip object my-inside-net any

access-list inside_access_in extended permit tcp object my-inside-net any

access-list inside_access_in extended permit udp object my-inside-net any

access-list inside_access_in extended permit icmp object my-inside-net any

access-list outside_access_in extended permit tcp any object WEB_PAT eq www

access-list outside_access_in extended permit tcp any object FTP_PAT eq ftp

access-list outside_access_in extended permit icmp any4 any4

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network my-inside-net

nat (inside,outside) dynamic interface

object network FTP_PAT

nat (inside,outside) static interface service tcp ftp ftp

object network WEB_PAT

nat (inside,outside) static interface service tcp www www

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

http 192.168.240.0 255.255.255.128 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username MyName password IPks.pvF1fRLc2sc encrypted

!

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:643794ad28d775a6a849045ced67d284

: end

no asdm history enable

***************************************************************************************************

1 person had this problem
Labels:
0 Helpful
16 Replies 16

ArieteCisco
Level 1
Level 1
In response to Oscar Castillo

‎09-29-2013 11:48 PM

Hello Oscar,

     no, my ISP is Telefonica and its router has NAT deactivated.

Regards

0 Helpful

ArieteCisco
Level 1
Level 1

‎09-29-2013 11:55 PM

Thanks to all of you, the problem is now resolved.

It was the zyxel router provided by my ISP. It was configured in routing mode, NAT deactivated, no filtering rules and giving the external IP to my ASA through DHCP but it keeped 3 ports for itself for comissioning: 21, 23 and 80. Once I changed this ports to 2121, 2323 and 8080 they were liberated for the ASA.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card