12-13-2014 08:25 AM - edited 03-11-2019 10:13 PM
Hi Everyone,
I have only single Public IP on ASA outside interface.
Server is connected to inside network of ASA.I want server should be reachable from internet on port 443.
I try the static nat config on ASA
nat (inside,outside) ?
configure mode commands/options:
<1-2147483647> Position of NAT rule within before auto section
after-auto Insert NAT rule after auto section
source Source NAT parameters
There is no static command?
how can i config below config
nat (inside,outside) static interface service tcp http http in ASA 9.1 version?
Regards
MAhesh
Solved! Go to Solution.
12-13-2014 10:07 AM
Hi Mahesh,
The interface option for:
>> object NAT:-
>> create object for server private ip.
(config)#object network SERVER
(config-network-object)# host x.x.x.x
(config-network-object)# nat (inside,outside) static interface service tcp 443 443
>> For mannual nat
(config)#nat (outside,inside) source static <real-ip> <mapped-ip> destination static interface <real-ip> service <real-service> <mapped-service>
Hope it helps.
Thanks,
Rishabh
12-14-2014 04:06 PM
For testing you can try to put all your manual nat after object NAT (using after auto command). So that you can confirm that there is no other NAT getting hit for the server traffic.
And also make sure that your ACL for this traffic has UN NATed (private IP address) of the server.
12-13-2014 09:35 AM
Hi Mahesh,
You can create an object nat for this requirement.
>> create object for server private ip.
object network SERVER
host x.x.x.x
nat (inside,outside) static interface service tcp 443 443
NOTE: If you are doing translating traffic coming for ASA IP on port 443 to SERVER then you will not be able to run ASDM on port 443. In order to manage ASA on the public IP make sure that you have changed the port for ASDM.
Thanks,
Rishabh
12-13-2014 09:45 AM
Hi Rishabh,
Under 9.1 i tried this
ASA1(config)# nat (inside,outside) source static ?
configure mode commands/options:
WORD Specify object or object-group name for real source
any Abbreviation for source address and mask of 0.0.0.0
There is no option for interface?
Regards
Mahesh
12-13-2014 10:07 AM
Hi Mahesh,
The interface option for:
>> object NAT:-
>> create object for server private ip.
(config)#object network SERVER
(config-network-object)# host x.x.x.x
(config-network-object)# nat (inside,outside) static interface service tcp 443 443
>> For mannual nat
(config)#nat (outside,inside) source static <real-ip> <mapped-ip> destination static interface <real-ip> service <real-service> <mapped-service>
Hope it helps.
Thanks,
Rishabh
12-13-2014 10:51 AM
Hi Rishabh,
When i do ass you said
ASA1(config-network-object)# nat (inside,outside) static interface ser$
ERROR: NAT unable to reserve ports.
i try ssh same error
Any idea how can i allow ssh to server or 443 connection from outside?
Also ACL is there to allow traffic from outside - any IP to ASA public IP.
Regards
MAhesh
12-13-2014 11:31 AM
I think this can happen if ASA is listening for connections on port 22 and 443 on outside interface. Probably you have enabled ssh and http server on outside interface.
You can check it by running command sh asp table socket.
You can change port for http server by command http server enable <port>.
Try changing port and then configure NAT.
Thanks,
Rishabh
12-13-2014 11:42 AM
For ssh I haven't seen any command that would make as a listen on any other port than 22.
So to ssh to your server you can use mapped service port as some random port (say 22222)and then real port as 22 in your NAT.
And then ssh to public IP port 22222
12-14-2014 01:16 AM
When you are testing telnet traffic, check NAT counter for the object NAT you have created.
Make sure the traffic is not hitting any Manual NAT which you have.
If it is hitting some manual NAT then place that NAT after object NAT using the command "after-auto" in that manual NAT statement.
Also check what packet tracer shows.
12-14-2014 06:58 AM
I do not see any hit counters on object NAT.
Also i have 2 manual NAT statements as below
2 (inside) to (outside) source static inside inside destination static vpn_pool_ip vpn_pool_ip
translate_hits = 0, untranslate_hits = 0
6 (inside) to (outside) source dynamic inside interface description Allow R1 to ping to Internet Sites
translate_hits = 7204, untranslate_hits = 2578
Can you please tell me command via CLI which i can use to put below commands after Object NAT?
Regards
MAhesh
12-14-2014 08:04 AM
I think all your traffic is hitting this NAT statement :
(inside) to (outside) source dynamic inside interface description Allow R1 to ping to Internet Sites
Remove this NAT statement and place it after object nat by using after-auto command.
eg:
nat (inside,outside) after-auto source dynamic inside interface
12-14-2014 08:47 AM
i moved the nat config below as you said here is packet tracer output
pri/act/ASA1# packet-tracer input outside tcp 70.75.x.x. 23 10.0.0.4 23
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.0.0.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object server eq telnet
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network server
nat (inside,outside) static interface service tcp telnet telnet
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
seems it is denied by object NAT rule?
Regards
MAhesh
12-14-2014 08:58 AM
As per your requirement you will be sending traffic on public IP.
Check IP addresses in packet tracer.
packet-tracer input outside tcp <source-ip> <any port> <asa outside ip> <23>
12-14-2014 09:05 AM
Here is output
ASA1# packet-tracer input outside tcp 70.75.x.x 1023 96.51.x.x 23
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 96.51.x.x 255.255.255.255 identity
Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
12-14-2014 09:55 AM
refer this article:
https://rowell.dionicio.net/configuring-nat-for-a-public-server-using-same-outside-interface/
12-14-2014 11:15 AM
I tried as per above website seems some NAT issue which i need to fix
Logs shows
%ASA-3-710003: TCP access denied by ACL from 70.75.x.x/52948 to outside:96.51.x.x/443
NAT config
ASA1# sh run nat
nat (outside,any) source static vpn_pool_ip vpn_pool_ip destination static inside inside description Allow Ping and SSH to 10.0.0.1 using Anyconnect with Full Tunnel
nat (inside,outside) source static inside inside destination static vpn_pool_ip vpn_pool_ip
nat (outside,outside) source dynamic vpn_pool_ip interface description Allow Access to Internet using Anyconnect VPN
nat (sales,outside) source static Sales Sales destination static Sales Sales
nat (sales,outside) source dynamic Sales interface description Allow 2950 to Pint to Internet Sites
nat (sales,outside) source static Sales Sales destination static vpn_pool_ip vpn_pool_ip description Allow Ping to 2950 Switch while connected Via Anyconnect Full tunnel
!
object network server
nat (inside,outside) static interface service tcp https https
!
nat (inside,outside) after-auto source static inside inside destination static inside inside
nat (inside,outside) after-auto source dynamic inside interface description Allow R1 to ping to Internet Sites
Regards
MAhesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide