08-18-2011 03:18 AM - edited 03-11-2019 02:13 PM
I've tried to get my head around this but beeing used to Juniper and Watchguard devices I just can't get my home webserver published to the outside interface.
I have a ASA5505 with ASA version 8.4 and ASDM version 6.4 and the basic license.
Outside interface is X.X.X.32/255.255.255.248 so I have 5 static IP:s on my external interface, .34 is in use for the outside interface.
Inside 10.10.10.0/25
DMZ 10.0.0.0/24
I have a webserver in DMZ located at 10.0.0.253 and would like to publish it to the external IP X.X.X.35.
I've tried to make the static NAT but every time I do either nothing goes in or out of the DMZ zone or you can't access the webserver from the outside interface.
Could anyone point me to a clear guide on this that doesn't assume you are used to cisco devices and would apply to the right ASA versions. Or try to talk me trough it here.
Right now I deleted all trials since none of them work so only the basic config is applied. Everything get's NAT:ed to the external interface .34 IP.
Solved! Go to Solution.
08-18-2011 03:58 AM
Hi,
So you want to statically nat your webserver in DMZ to outside then you must:
1)first do the static PAT config which for 8.4 OS should be like this:
object network webserver
host 10.0.0.253
nat (dmz,outside) static X.X.X.35 service tcp 80 80
2) create an ACL permitting access to the webserver from outside and apply it on interface outside inbound like this:
access-list WEBSERVER_OUT extended permit tcp any host 10.0.0.253 eq 80
access-list WEBSERVER_OUT extended permit icmp any host 10.0.0.253 echo-reply
access-group WEBSERVER_OUT in interface outside
Regards.
Alain.
08-18-2011 03:42 AM
Hi Mat,
You would need the following nat statement:
object network external_ip
host xx.xx.xx.35
object network internal_ip
host 10.0.0.253
nat (outside,inside) source static any any destination static external_ip internal_ip
Hope this helps you out
Thanks,
Varun
Please rate helpful posts.
08-18-2011 03:59 AM
You can also try:
object network dmz_server
host 10.0.0.253
nat (inside,outside) static xx.xx.xx.35
Both the nats woudl do the same thing.
Thanks,
Varun
08-18-2011 03:58 AM
Hi,
So you want to statically nat your webserver in DMZ to outside then you must:
1)first do the static PAT config which for 8.4 OS should be like this:
object network webserver
host 10.0.0.253
nat (dmz,outside) static X.X.X.35 service tcp 80 80
2) create an ACL permitting access to the webserver from outside and apply it on interface outside inbound like this:
access-list WEBSERVER_OUT extended permit tcp any host 10.0.0.253 eq 80
access-list WEBSERVER_OUT extended permit icmp any host 10.0.0.253 echo-reply
access-group WEBSERVER_OUT in interface outside
Regards.
Alain.
08-18-2011 04:13 AM
Thank you so much, looking att the commands they are clear and selfexplanatory. Thanks again!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide