Hello everyone
I am having some problems trying to set up a simple one-to-one NAT between a public IP and a DMZ server. I've spent a number of hours staring at this problem and I'm hoping one of you can spot whatever I have missed.
The ASA has 4 interfaces. Inside, Outside, DMZ and Guest. NAT wont work with the Outside interface for some reason. When choosing (DMZ, Inside) it works perfectly fine.
The inside host is running static IP 192.168.50.200 with subnet 255.255.255.0 and gateway 192.168.50.1.
The one im having problems with is has the object name of DMZ_Test
The Config:
!
interface Vlan1
nameif inside
security-level 100
ip address 10.95.80.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 212.116.83.142 255.255.255.128
!
interface Vlan5
nameif dmz
security-level 50
ip address 192.168.50.1 255.255.255.0
!
interface Vlan15
nameif Guests
security-level 25
ip address 172.16.0.1 255.255.255.0
same-security-traffic permit intra-interface
object network HexMet-mail
host 10.136.0.20
description IP mappning mellan ext - int addr
object network ftp_hexmet_39
host 192.168.50.39
description Ftp hexmet se
object network web_ftp_34
host 192.168.50.34
object network web_ftp_35
host 192.168.50.35
object network web_ftp_36
host 192.168.50.36
object network web_ftp_37
host 192.168.50.37
object network web_info_38
host 192.168.50.38
description Info webb on Etunawebb
object network VC
host 10.95.80.31
description Videokonferans
object network 172-net
subnet 172.16.0.0 255.240.0.0
object network 192-net
subnet 192.168.0.0 255.255.0.0
object network Guest-net
subnet 172.16.0.0 255.255.255.0
object service udp8000
service udp destination eq 8000
object network dmz-net
subnet 192.168.50.0 255.255.255.0
object network DMZ_Test
host 192.168.50.200
description test
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq www
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq www
object-group service DM_INLINE_TCP_3 tcp
port-object eq ftp
port-object eq www
object-group service DM_INLINE_TCP_4 tcp
port-object eq ftp
port-object eq www
object-group network DM_INLINE_NETWORK_1
network-object 10.95.80.0 255.255.255.0
network-object 192.168.50.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
object-group network all_private-net
network-object object HM-Supernet
network-object object 172-net
network-object object 192-net
object-group service 1718-1720 tcp-udp
description För VC-konferensanläggning
port-object range 1718 1720
object-group service DM_INLINE_SERVICE_2
service-object tcp
service-object tcp destination eq ftp
object-group service 30000_30039 tcp-udp
description För VC-konferensanläggning
port-object range 30000 30039
object-group service DM_INLINE_TCPUDP_1 tcp-udp
group-object 1718-1720
group-object 30000_30039
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service VCManagement tcp-udp
port-object eq 3601
port-object eq www
port-object eq 443
access-list outside_access_in extended permit icmp any4 any4 echo-reply
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any4 object VC object-group DM_INLINE_TCPUDP_1
access-list outside_access_in extended permit tcp any4 object web_ftp_34 object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit tcp any4 object web_ftp_35 object-group DM_INLINE_TCP_3
access-list outside_access_in extended permit tcp any4 object web_ftp_36 object-group DM_INLINE_TCP_4
access-list outside_access_in extended permit tcp any4 object web_ftp_37 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any4 object web_info_38 eq www
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any4 object ftp_hexmet_39
access-list outside_access_in extended permit ip host 213.174.82.53 10.95.80.0 255.255.255.0
access-list outside_access_in extended permit ip any object DMZ_Test
access-list inside_access_in extended permit icmp any4 any4 echo-reply inactive
access-list inside_access_in extended permit ip 10.95.80.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list inside_access_in extended permit ip 10.95.80.0 255.255.255.0 object-group VPN_SITE_TO_SITE
access-list inside_access_in extended permit ip 10.95.80.0 255.255.255.0 any4
access-list inside_access_in extended permit ip object VPN_STAFF object HM_Gothenburg
access-list inside_access_in remark For Hitcount
access-list inside_access_in extended deny ip any4 any4
access-list dmz_access_in extended permit ip 192.168.50.0 255.255.255.0 any4
access-list Guests_access_in extended deny ip 172.16.0.0 255.255.255.0 object-group all_private-net
access-list Guests_access_in extended permit ip any4 any4
!
object network HexMet-mail
nat (any,any) static 212.116.83.153
object network ftp_hexmet_39
nat (dmz,outside) static 212.116.83.176
object network web_ftp_34
nat (dmz,outside) static 212.116.83.173
object network web_ftp_35
nat (dmz,outside) static 212.116.83.174
object network web_ftp_36
nat (any,any) static 212.116.83.155
object network web_ftp_37
nat (any,any) static 212.116.83.154
object network web_info_38
nat (dmz,outside) static 212.116.83.162
object network VC
nat (any,any) static 212.116.83.178
object network DMZ_Test
nat (dmz,outside) static 212.116.83.180
!
nat (inside,outside) after-auto source dynamic any interface
nat (Guests,outside) after-auto source dynamic Guest-net interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group Guests_access_in in interface Guests
!
All suggestions are most welcome.
Best Regards
