So all that is needed is to change destination to any and it should work. given that the last paragraph does not apply?

/H

Hi,

Let me test the setup on one of my test firewalls.

I dont usually do these kind of NATs as I want to keep the setup simple (between interfaces behind Firewall). Best situation is naturally when we have a public network directly at the DMZ with our customers then NAT wont be a problem. Naturally this isnt an option for all.

But to my understanding this should work.

By the way, are you using the mentioned public IP address as shared public from some servers? Just thinking as you are using a Port Forward configuration and not a usual/normal Static NAT?

- Jouni

Yes this is a shared public IP and it is not the primary of the interface either.

i have 6 other services open to this IP from the outside.

/H

Hi,

I did a very quick test to see what the ASA says about the Static NAT (I used normal Static NAT, not Port forward)

Heres configuration in my test

object network STATIC-TEST

host 10.10.10.123

nat (inside,any) static 1.2.3.4

Packet-tracer from local DMZ

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network STATIC-TEST

nat (inside,any) static 1.2.3.4

Additional Information:

NAT divert to egress interface inside

Untranslate 1.2.3.4/80 to 10.10.10.123/80

Packet-tracer from local OUTSIDE

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network STATIC-TEST

nat (inside,any) static 1.2.3.4

Additional Information:

NAT divert to egress interface inside

Untranslate 1.2.3.4/80 to 10.10.10.123/80

So NAT phase seems right to me atleast

- Jouni

Changed the configuration for TCP/80 Port Forward

Heres the configuration and test

object network STATIC-TEST

host 10.10.10.123

nat (inside,any) static 1.2.3.4 service tcp www www

Packet-tracer from local DMZ

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network STATIC-TEST

nat (inside,any) static 1.2.3.4 service tcp www www

Additional Information:

NAT divert to egress interface inside

Untranslate 1.2.3.4/80 to 10.10.10.123/80

Packet-tracer from local OUTSIDE

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network STATIC-TEST

nat (inside,any) static 1.2.3.4 service tcp www www

Additional Information:

NAT divert to egress interface inside

Untranslate 1.2.3.4/80 to 10.10.10.123/80

- Jouni

object network HTTP_Test_80

nat (TestEnvironment,WAN1) static 88.130.50.22 service tcp www www

Should 88.130.50.22 then be changed to any? if so how will i reach it from the outside.

or am i supposed to add new rules to be able to access those servers from the inside?

Note that im doing this in ASDM and there the destination is 88.130.50.22.

/H

Ah sorry,

I was talking about the source/destination interface which is inside "()" in the NAT command

Here is how my Test configurations seems through ASDM (I dont use ASDM myself otherwise)

The actual NAT object

Under Advanced Settings

Hope this helps

Do notice that the ASDM will remove the NAT command before inserting the new one. It will therefore teardown all connections from OUTSIDE to that server on port TCP/80 atleast

If you havent already used, you could consider previewing the commands ASDM will send to the ASA.

This can be enabled in the following place on ASDM

Tools -> Preferences -> Select "Preview Commands before sending them to the device"

This way you will see what CLI version commands are actually sent to the ASA by the ASDM BEFORE it sends them.

- Jouni

Hi,

ok this works for some of our nat rules but not all of them and for those it works for im not able to access the webservices from inside the test environment. Any ideas?

/H

Hi,

Without seeing the whole configuration its hard to tell why its not working. Might be some problem with existing NAT configuration. Also a screencapture of the ASDM log when you are attempting the connection might help (Might need logging level "Informational" atleast)

Regards to the access problem from the test environment. Are you saying that you are connecting from a host at the same network where the test server is using the public IP address? If this is the case I think it ain't supposed to work like that (the configuration I mentioned). I would have to lab this.

Also you say something is working but you can't access webservices? Can you clarify what is working? Wasnt the Web Service the only service you were trying to access. (Atleast in the original question/post)

- Jouni