08-26-2015 11:07 AM - edited 03-11-2019 11:30 PM
We have a rule in our firewall to NAT an IP for a system on the inside to the IP address of our outside interface so that users may publicly access the system via a web browse using the outside interface IP with port 8100. It was working but the NAT rule got deleted and now I cannot get it to work again. I amusing the GUI v 8.2
To go through the ASA settings for this rule:
It's a static NAT rule.
Original
Interface = inside
source = hostname with internal IP
Translated
Interface = outside
Use interface IP Address is slected
Enable PAT is checked
Protocol = TCP
original port = 8100
tanslated port = 8100
What do I have wrong?
Solved! Go to Solution.
08-26-2015 12:41 PM
I dont remember how the NAT interface on the 8.2 ASDM looks as it has been a while since I have worked on it. But the commands for 8.2 would be:
static (inside,outside) tcp interface 8100 10.1.1.235 8100 netmask 255.255.255.255
access-list outside-in extended permit tcp any host <outside interface IP> eq 8100
access-group outside-in in interface outside
--
Please remember to select a correct answer and rate helpful posts
08-26-2015 12:05 PM
Did you create the ACL to allow that traffic?
I am a command line guy
object network INSIDE_DEVICE_8100
host 10.1.1.235
nat (inside,outside) static interface service tcp 8100 8100
access-list outside-in extended permit tcp any object INSIDE_DEVICE_8100 eq 8100
Hope this helps.
Mike
08-26-2015 12:41 PM
I dont remember how the NAT interface on the 8.2 ASDM looks as it has been a while since I have worked on it. But the commands for 8.2 would be:
static (inside,outside) tcp interface 8100 10.1.1.235 8100 netmask 255.255.255.255
access-list outside-in extended permit tcp any host <outside interface IP> eq 8100
access-group outside-in in interface outside
--
Please remember to select a correct answer and rate helpful posts
08-26-2015 12:55 PM
I have posted an image below of the NAT rule screen from the asdm 8.2
It should be fairly straightforward but it's not working.
08-26-2015 01:19 PM
Sorry I did not catch the 8.2, my post was for newer code.
As Marius said run packet tracer and see where it fails.
Mike
08-26-2015 01:23 PM
Where do I run PT from?
08-26-2015 01:26 PM
ASDM under tools than choose packet tracer
08-27-2015 05:30 AM
Since you recreated the NAT rule it is probably at the bottom of the NAT rule list. Try moving it to the top of the list and see if that works. Or if you recreated the ACL it to could be below a deny rule so I would check that as well.
Also when you ran the packet tracer at which step does it fail?
Mike
08-27-2015 08:01 AM
I moved the NAT rule to the top and the ACL is not below any deny rules.
I'm confused as to how to properly run the Packet trace. Do I run it on the ACL or NAT rule. Also what would my zone, source ip/port and dest ip/port be?
08-27-2015 08:20 AM
So I ran the packet trace on the NAT rule with the inside address and port 10.1100.30.10:80 as the source, the inside interface chosen and the outside IP/port 71.181.12.194:8100 as the destination.
It says packet is dropped 7 flow is denied by configured rule.
When I checked the rule it is the any any deny implicit rule on the inside interface.
08-27-2015 10:47 AM
I got it working. All I did was delete the NAT rule and re-create it exactly as it had been and it started working.
Odd.
08-26-2015 01:24 PM
Just to check....under translated choose "use IP Address" and put the IP address in there and see if that helps at all. While it should not make a difference but stranger things have happened.
08-26-2015 01:30 PM
I already tried that but when I did a message popped up saying "this is the ip address of the outside interface please select use interface IP."
08-26-2015 01:29 PM
Below is a screenshot of the packet trace. Not sure if I did it correctly:
CLI text reads:
|