04-13-2016 12:04 AM - edited 03-12-2019 12:36 AM
Hello,
My device Cisco ASA 5510, ASA 8.4(2), ASDM 6.4(5)206
What I try to achieve.
1) Host 10.10.11.108 listening port 8080
2) Trying to access it from WAN e.g port 8090
I tried following commands:
object network 10.10.11.108_8080
host 10.10.11.108
nat (LAN1,WAN) static interface service tcp 8080 8090
access-list WAN_access_in line 11 extended permit tcp any object 10.10.11.108_8080 eq 8080
access-group WAN_access_in in interface WAN
But I don't gett access. Can someone help me to solve this case?
Solved! Go to Solution.
04-20-2016 12:01 AM
Hi,
Please use the following command:
object service tcp-8090
service
object service tcp-8080
service tcp destination eq 8080
nat (inside,outside) 1 source static 10.10.11.108_8080 interface service tcp-8080 tcp-8090
Regards,
Aditya
04-20-2016 12:20 AM
Okay, these commands were successful. Right now I can not access my service by port 8090. Do I need to configure Access Rule also?
04-20-2016 12:25 AM
Hi,
Use a
packet-tracer input
Regards,
Aditya
04-20-2016 12:31 AM
04-20-2016 12:34 AM
Hi,
Please try opening the ACL on the WAN interface for the traffic.
Regards,
Aditya
04-20-2016 12:43 AM
Not sure which service to add, so added both. Packet tracker results are same.
04-21-2016 09:48 AM
Actually, Aditya provided wrong object group config for the 8090 group.
object service tcp-8090
service tcp source eq 8090
this should be service "tcp destination eq 8090"
try changing this and then test again.
--
Please remember to select a correct answer and rate helpful posts
04-21-2016 11:37 PM
Hello,
Deleted all previous and added new with tehese commands:
object service tcp-8090
service tcp destination eq 8090
object service tcp-8080
service tcp destination eq 8080
Nat (LAN1,WAN) 1 source static 10.10.11.108_8080 interface service tcp-8080 tcp-8090
Packet Tracker results are same:
04-22-2016 12:06 AM
The NAT now looks to be correct. Could you post a full running config please. remove any usernames, passwords and public IPs.
--
Please remember to select a correct answer and rate helpful posts
04-22-2016 12:57 AM
Here was running conf.
04-22-2016 12:57 AM
You access list should have a destination port of 8080 not 8090
access-list WAN_access_in extended permit object tcp-8090 any object 10.10.11.108_8080
--
Please remember to select a correct answer and rate helpful posts
04-22-2016 01:18 AM
Here was running conf.
04-22-2016 01:18 AM
try changing the ACL entry to:
access-list WAN_access_in extended permit tcp any object 10.10.11.108_8080 eq 8080
--
Please remember to select a correct answer and rate helpful posts
04-22-2016 03:44 AM
Hello,
Changed to your reccomendations. No change. I have read many forums and threads, but still no help.
04-22-2016 04:45 AM
Could you run the packet-tracer in CLI and paste the full output here please.
--
Please remember to select a correct answer and rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide