10-22-2007 04:25 PM - edited 03-11-2019 04:28 AM
very simple configuration, but for some reason its not working...im trying to get the outside to reach inside via port www...the hitcnt on show access list increases but www not showing up on outside pc...any ideas?...oh yeah, this is a brand new asa 5520...this is the first using 7.0 code...more familar with 5 - 6.3 code...
thanks in advance
interface Ethernet0/0
speed 100
nameif outside
security-level 0
ip address 192.168.101.1 255.255.255.0
!
interface Ethernet0/1
speed 100
nameif inside
security-level 100
ip address 10.100.245.1 255.255.255.0
access-list outside extended permit tcp host 192.168.101.5 host 10.100.245.5 eq www
access-group outside in interface outside
static (inside,outside) 10.100.245.5 10.100.245.5 netmask 255.255.255.255
Solved! Go to Solution.
10-22-2007 04:35 PM
I don't see anything wrong in your configuration.
Does your www server use the inside interface (10.100.245.1) as it's gateway?
Post the output of 'show nat' if you are still having problems?
HTH
Sundar
10-22-2007 04:35 PM
I don't see anything wrong in your configuration.
Does your www server use the inside interface (10.100.245.1) as it's gateway?
Post the output of 'show nat' if you are still having problems?
HTH
Sundar
10-22-2007 04:39 PM
ill check in the morning...well, i think i used the correct gateway, unless i fat fingered it...ill post back in the morning...
thanks again for the response...
10-22-2007 08:33 PM
Have you tryed other options as:
Static translation :
access-list acl_out permit tcp any host YourPublic-IP eq www
access-group acl_out in interface outside
static (inside,outside) YourPublic-IP Local-IP netmask 255.255.255.255 0 0
Port address translation:
access-list acl_out permit tcp any PublicIP eq http
access-group acl_out in interface outside
static (inside,outside) tcp PublicIP http inside-IP http netmask 255.255.255.255 0 0
Or simply use a NONAT and an ACL as you have in your example. This diables NAT but the outside ACL is still needed.
access-list no_nat_inside extended permit ip any any
nat (inside) 0 access-list no_nat_inside
Note: Do not forget after changing the static to reset the translation table. Be aware that this will reset all connections.
Execute:
clear xlate
sincerely
Patrick
10-23-2007 05:35 AM
yep, it was fat fingered...my gateway ip address on my laptop was incorrect...fw is working great!...
thanks for everybody who replied...
10-23-2007 01:17 AM
Hi,
Just a few debug ideas.
Check the log on the ASDM/CLI to see what exact error it is giving, if any at all. If there is no error then probably you have an HTTP server misconfiguration or even a routing problem on your LAN.
Another thing you can do is just "telnet 10.100.245.5 80" and see if it goes through.
Hope it helps.
Paulo
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: