cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1383
Views
0
Helpful
3
Replies

Need help with my asa 5512 config

         Hi all,

I have setup my asa 5512 so I can access a web server from outside to inside, bout it is not working.

I have attach my config, Can someone take a look at it?

Thanks

SD

1 ACCEPTED SOLUTION

Accepted Solutions

Hi,

You will need to use Static NAT for each server as using Dynamic NAT/PAT doesnt really enable remote hosts to connect to the local hosts on your network. This is because the NAT is Dynamic and naturally to host some service it needs to be Static.

So if you actually have a Public IP address for each server then you can apply the following (and which was also in my original reply) to configure Static NAT for each server

object network STATIC

host x.x.x.x

nat (Inside,Outside) static y.y.y.y dns

Where

  • STATIC = Name of the object containing the local server IP address and the NAT configuration
    • Use a name for the "object network" that in your opinion makes it clearer for you
  • x.x.x.x = Local IP address of the server
  • y.y.y.y = Public IP address to be used for the Local server IP address

Repeat the above configuration with the correct "object network" names and the correct IP addresses and it should be fine.

Then just open the services to the servers on the OUTSIDE-IN ACL as mentioned in the first reply also.

access-list OUTSIDE-IN permit any object eq

- Jouni

View solution in original post

3 REPLIES 3
Jouni Forss
Mentor

Hi,

The configuration seems a bit off to me.

I'll suggest a different type of configuration. This would require you to remove all the existing NAT configuration listed in your configuration file in the post.

Please confirm that the following things are true

  • You want to do Dynamic PAT for "inside" and "dmz" hosts behind the ASA to enable Internet connectivity
  • You want to configure 1:1 Static NAT for a single server on the "inside" interface
  • You want to open the service TCP/8080 to that host

If the above is true try the following configuration (If not please specify what needs to be changed)

Remote existing NAT/ACL configurations

  • Remove the existing NAT configurations
  • I would also suggest removing the "global" ACL and stick to using interface specific ACL

no nat (Inside,Outside) source dynamic any interface

no nat (Inside,Outside) source static cdtpreprod cdtpreprod.cleard.com service clients clients

no access-group global_access global

no access-list global_access extended permit ip any any

no access-group outside_access_in in interface Outside

no access-list outside_access_in extended permit ip any any

Dynamic NAT

  • Configure an object-group that includes all the network you want to do PAT translation for when they access the Internet
  • Use the created "object-group" in the NAT configuration like show below

object-group network DEFAULT-PAT-SOURCE

network-object 192.168.3.0 255.255.255.0

network-object 192.168.2.0 255.255.255.0

nat (any,Outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

Static NAT

  • Configure the Static NAT for the server as an Network Object NAT as show below
  • Both the local host address and the actual NAT configuration are inserted under the "object network" configuration
  • Then use the ACL to permit traffic on destination port TCP/8080 to the server
    • Notice that you can either use the object in the ACL statement or the Real IP address of 192.168.3.52

object network STATIC

host 192.168.3.52

nat (Inside,Outside) static 173.246.64.150 dns

access-list OUTSIDE-IN permit tcp any object STATIC eq 8080

access-group OUTSIDE-IN in interface Outside

Additionally I would suggest removing the "permit ip any any" from the "Outside" interface ACL since it permits all traffic and you dont want that. Atleast in a production environment.

- Jouni

Jouni,

I have 9 server inside not dmz that have all the same service ports like  443,442,5989

i have 9 external ip, I want to use one external ip for each internal server.

should i use static nat or dynamic nat?

SD

Hi,

You will need to use Static NAT for each server as using Dynamic NAT/PAT doesnt really enable remote hosts to connect to the local hosts on your network. This is because the NAT is Dynamic and naturally to host some service it needs to be Static.

So if you actually have a Public IP address for each server then you can apply the following (and which was also in my original reply) to configure Static NAT for each server

object network STATIC

host x.x.x.x

nat (Inside,Outside) static y.y.y.y dns

Where

  • STATIC = Name of the object containing the local server IP address and the NAT configuration
    • Use a name for the "object network" that in your opinion makes it clearer for you
  • x.x.x.x = Local IP address of the server
  • y.y.y.y = Public IP address to be used for the Local server IP address

Repeat the above configuration with the correct "object network" names and the correct IP addresses and it should be fine.

Then just open the services to the servers on the OUTSIDE-IN ACL as mentioned in the first reply also.

access-list OUTSIDE-IN permit any object eq

- Jouni

View solution in original post