Hi Rishabh,

Under 9.1 i tried this

ASA1(config)# nat (inside,outside) source static ?

configure mode commands/options:
  WORD  Specify object or object-group name for real source
  any   Abbreviation for source address and mask of 0.0.0.0

There is no option for interface?

Regards

Mahesh

Hi Rishabh,

When i do ass you said

ASA1(config-network-object)# nat (inside,outside) static interface ser$
ERROR: NAT unable to reserve ports.

i try ssh same error

Any idea how can i allow ssh to server or 443 connection from outside?

Also ACL is there to allow traffic from outside - any IP  to ASA public IP.

Regards

MAhesh

I think this can happen if ASA is listening for connections on port 22 and 443 on outside interface. Probably you have enabled ssh and http server on outside interface.

You can check it by running command sh asp table socket.

You can change port for http server by command http server enable <port>.

Try changing port and then configure NAT.

Thanks,

Rishabh

For ssh I haven't seen any command that would make as a listen on any other port than 22.

So to ssh to your server you can use mapped service port as some random port (say 22222)and then real port as 22 in your NAT.

And then ssh to public IP port 22222

When you are testing telnet traffic, check NAT counter for the object NAT you have created.

Make sure the traffic is not hitting any Manual NAT which you have.

If it is hitting some manual NAT then place that NAT after object NAT using the command "after-auto" in that manual NAT statement.

Also check what packet tracer shows.

I do not see any hit counters on object NAT.

Also i have 2 manual NAT statements as below

2 (inside) to (outside) source static inside inside   destination static vpn_pool_ip vpn_pool_ip
    translate_hits = 0, untranslate_hits = 0

6 (inside) to (outside) source dynamic inside interface   description Allow R1 to ping to Internet Sites
    translate_hits = 7204, untranslate_hits = 2578

Can you please tell me command via CLI which i can use to put below commands after Object NAT?

Regards

MAhesh

I think all your traffic is hitting this NAT statement :

(inside) to (outside) source dynamic inside interface   description Allow R1 to ping to Internet Sites

Remove this NAT statement and place it after object nat by using after-auto command.

eg:

nat (inside,outside) after-auto source dynamic inside interface

i moved the nat config below as you said here is packet tracer output

pri/act/ASA1# packet-tracer input outside tcp 70.75.x.x. 23 10.0.0.4  23

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.0.0.0        255.255.255.0   inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object server eq telnet
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network server
 nat (inside,outside) static interface service tcp telnet telnet
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

seems it is denied by object NAT rule?

Regards

MAhesh

As per your requirement you will be sending traffic on public IP.

Check IP addresses in packet tracer.

packet-tracer input outside tcp <source-ip> <any port> <asa outside ip> <23>

Here is output

ASA1# packet-tracer input outside tcp 70.75.x.x 1023  96.51.x.x  23

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   96.51.x.x   255.255.255.255 identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

refer this article:

https://rowell.dionicio.net/configuring-nat-for-a-public-server-using-same-outside-interface/

I tried as per above website seems some NAT issue which i need to fix

Logs shows

 %ASA-3-710003: TCP access denied by ACL from 70.75.x.x/52948 to outside:96.51.x.x/443

NAT config

ASA1# sh run nat
nat (outside,any) source static vpn_pool_ip vpn_pool_ip destination static inside inside description Allow Ping and SSH to 10.0.0.1 using Anyconnect with Full Tunnel
nat (inside,outside) source static inside inside destination static vpn_pool_ip vpn_pool_ip
nat (outside,outside) source dynamic vpn_pool_ip interface description Allow Access to Internet using Anyconnect VPN
nat (sales,outside) source static Sales Sales destination static Sales Sales
nat (sales,outside) source dynamic Sales interface description Allow 2950 to Pint to Internet Sites
nat (sales,outside) source static Sales Sales destination static vpn_pool_ip vpn_pool_ip description Allow Ping to 2950 Switch while connected Via Anyconnect Full tunnel
!
object network server
 nat (inside,outside) static interface service tcp https https
!
nat (inside,outside) after-auto source static inside inside destination static inside inside
nat (inside,outside) after-auto source dynamic inside interface description Allow R1 to ping to Internet Sites

Regards

MAhesh