cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
437
Views
0
Helpful
16
Replies
Beginner

Proper NAT Config with port number for public IP

We have a rule in our firewall to NAT an IP for a system on the inside to the IP address of our outside interface so that users may publicly access the system via a web browse using the outside interface IP with port 8100.  It was working but the  NAT rule got deleted and now I cannot get it to work again.  I amusing the GUI v 8.2

 

To go through the ASA settings for this rule:

 

It's a static NAT rule.

 

Original

Interface = inside

source = hostname with internal IP

 

Translated

Interface = outside

Use interface IP Address is slected

 

Enable PAT is checked

Protocol = TCP

original port = 8100

tanslated port = 8100

 

What do I have wrong?

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advocate

I dont remember how the NAT

I dont remember how the NAT interface on the 8.2 ASDM looks as it has been a while since I have worked on it.  But the commands for 8.2 would be:

static (inside,outside) tcp interface 8100 10.1.1.235 8100 netmask 255.255.255.255

access-list outside-in extended permit tcp any host <outside interface IP> eq 8100

access-group outside-in in interface outside

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

16 REPLIES 16
Highlighted
Collaborator

Did you create the ACL to

Did you create the ACL to allow that traffic?

 

I am a command line guy

 

object network INSIDE_DEVICE_8100
 host 10.1.1.235
 nat (inside,outside) static interface service tcp 8100 8100


access-list outside-in extended permit tcp any object INSIDE_DEVICE_8100 eq 8100

 

Hope this helps.

 

Mike

Highlighted
VIP Advocate

I dont remember how the NAT

I dont remember how the NAT interface on the 8.2 ASDM looks as it has been a while since I have worked on it.  But the commands for 8.2 would be:

static (inside,outside) tcp interface 8100 10.1.1.235 8100 netmask 255.255.255.255

access-list outside-in extended permit tcp any host <outside interface IP> eq 8100

access-group outside-in in interface outside

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Highlighted
Beginner

I have posted an image below

I have posted an image below of the NAT rule screen from the asdm 8.2

It should be fairly straightforward but it's not working.

 

 

Highlighted
Collaborator

Sorry I did not catch the 8.2

Sorry I did not catch the 8.2, my post was for newer code.

 

As Marius said run packet tracer and see where it fails.

 

 

Mike

Highlighted
Beginner

Where do I run PT from?

Where do I run PT from?

Highlighted
Collaborator

ASDM under tools than choose

ASDM under tools than choose packet tracer

Highlighted
Collaborator

Since you recreated the NAT

Since you recreated the NAT rule it is probably at the bottom of the NAT rule list. Try moving it to the top of the list and see if that works. Or if you recreated the ACL it to could be below a deny rule so I would check that as well.

 

Also when you ran the packet tracer at which step does it fail?

 

Mike
 

Highlighted
Beginner

I moved the NAT rule to the

I moved the NAT rule to the top and the ACL is not below any deny rules.

 

I'm confused as to how to properly run the Packet trace.  Do I run it on the ACL or NAT rule.  Also what would my zone, source ip/port and dest ip/port be?

Highlighted
Beginner

So I ran the packet trace on

So I ran the packet trace on the NAT rule with the inside address and port 10.1100.30.10:80 as the source, the inside interface chosen and the outside IP/port 71.181.12.194:8100 as the destination.

 

It says packet is dropped 7 flow is denied by configured rule.

 

When I checked the rule it is the any any deny implicit rule on the inside interface.

 

 

Highlighted
Beginner

I got it working.  All I did

I got it working.  All I did was delete the NAT rule and re-create it exactly as it had been and it started working.

 

Odd.

Highlighted
Collaborator

Just to check....under

Just to check....under translated choose "use IP Address" and put the IP address in there and see if that helps at all. While it should not make a difference but stranger things have happened.

Highlighted
Beginner

I already tried that but when

I already tried that but when I did a message popped up saying "this is the ip address of the outside interface please select use interface IP."
 

Highlighted
Beginner

Below is a screenshot of the

Below is a screenshot of the packet trace.  Not sure if I did it correctly:

 

CLI text reads:

 

Config
static (inside,outside) tcp interface 8100 Cablecast_Pro 8100 netmask 255.255.255.255
nat-control
match tcp inside host Cablecast_Pro eq 8100 outside any
static translation to 71.181.12.194/8100
translate_hits = 0, untranslate_hits = 31

 

Highlighted
VIP Advocate

Could you try the packet

Could you try the packet tracer using a random high source port (12345 for example).

It is not failing on the NAT statement so that should be fine.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts