09-05-2019 01:10 PM
Hi all,
I'm trying to get remote access through my 5505 (Security Plus Licence) to my inside Server, and so I have tried to apply the following
nat (inside,outside) source static obj-WebServer interface service any REMOTE-HTTPS
but as per the subject, I keep getting the message "ERROR: NAT unable to reserve ports."
I have successfully applied the same rule two other ports - for REMOTE-RDP and REMOTE-8090. ADSM is configured to run on a port 50443 - so I cannot understand as to why I cannot apply the required config.
SPIRIT-FW1# sh xlate
9 in use, 18 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from inside:10.10.5.100 0 to outside:192.168.1.17 3389-3389
flags srT idle 1:00:46 timeout 0:00:00
TCP PAT from outside:0.0.0.0/0 0 to inside:0.0.0.0/0 0
flags srIT idle 1:00:46 timeout 0:00:00
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
flags sIT idle 1:00:46 timeout 0:00:00
NAT from outside:0.0.0.0/0 to inside_2:0.0.0.0/0
flags sIT idle 1:00:46 timeout 0:00:00
NAT from outside:0.0.0.0/0 to inside_3:0.0.0.0/0
flags sIT idle 1:00:46 timeout 0:00:00
NAT from outside:0.0.0.0/0 to inside_4:0.0.0.0/0
flags sIT idle 1:00:46 timeout 0:00:00
TCP PAT from outside:10.10.5.100 0 to inside:192.168.1.17 8090-8090
flags srT idle 1:00:46 timeout 0:00:00
TCP PAT from outside:0.0.0.0/0 0 to inside:0.0.0.0/0 0
flags srIT idle 1:00:46 timeout 0:00:00
UDP PAT from outside:147.156.7.18 123-123 to inside:0.0.0.0/0 123-123
flags srT idle 0:36:14 timeout 0:00:00
I would be very grateful for any help or assistance
Solved! Go to Solution.
09-05-2019 01:24 PM
09-05-2019 01:20 PM
what is the definition of - REMOTE-HTTPS? 443 ?
09-05-2019 01:53 PM
object service REMOTE-HTTPS
service tcp source eq https
09-05-2019 01:24 PM
09-05-2019 02:24 PM
Many thanks for that - that was it exactly. After removing the webvpn command, it just needed a reboot. The "sh asp table socket" command confirmed everything.
One more thing - is there a tutorial anywhere I can follow, or can you give me an example for how to configure an inbound connection with port translation. Suppose I wanted to setup Remote Access to HOST_B using an original destination port 8080 translating to the inside HOST_B on port 80.
And what about configuring Remote SSH Access to the FW itself, using an original destination port of say 50022 translating to port 22 on the FW
09-05-2019 02:36 PM
Hi,
Here is an NAT example. In this example traffic destined to the IP address of the outside interface on port 8080 is the natted to the real (private) IP address of HOST_B on port 80. The ACL references the real port 80 and not the natted IP address. Just change the host IP address and the ACL name.
object network HOST_B
host 192.168.10.5
nat (INSIDE,OUTSIDE) static interface service tcp 80 8080
access-list OUTSIDE_IN extended permit tcp any object HOST_B eq 80
I dont think you can NAT traffic destined to the ASA itself, nor do not think it's possible it actually change the port from 22 to something else.
HTH
09-19-2019 09:11 AM
I'm trying to get a Port Translation to work - port 52722 on the outside to port 22 on the inside server.
However, I'm getting a Subtype rpf-check DROP
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: