Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12749
Views
0
Helpful
17
Replies

static nat config on ASA 9.1 for port forwarding

Go to solution
mahesh18
Level 6
Level 6

‎12-13-2014 08:25 AM - edited ‎03-11-2019 10:13 PM

Hi Everyone,

 

I have only single Public IP on ASA outside interface.

Server is connected to inside network of ASA.I want server should be reachable from internet on port 443.

I try the static nat config on ASA

nat (inside,outside) ?

configure mode commands/options:
  <1-2147483647>  Position of NAT rule within before auto section
  after-auto      Insert NAT rule after auto section
  source          Source NAT parameters

 

There is no static command?

how can i config  below config

nat (inside,outside) static interface service tcp http http  in ASA 9.1 version?

 

Regards

MAhesh

Labels:
0 Helpful
17 Replies 17

Go to solution
Rishabh Seth
Level 7
Level 7
In response to mahesh18

‎12-14-2014 04:06 PM

For testing you can try to put all your manual nat after object NAT (using after auto command). So that you can confirm that there is no other NAT getting hit for the server traffic.

And also make sure that your ACL for this traffic has UN NATed (private IP address) of the server.

 

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Rishabh Seth

‎12-15-2014 05:03 PM

 

I put this object NAT statement at top of all the NATs.

Now i can telnet to server.

Many thanks for helping all the way.

Best Regards

MAhesh

 


 

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Rishabh Seth

‎12-13-2014 03:17 PM

 

For testing purposes i am only allowing telnet connection to server as SSH

and https is used by ASA itself.

When i try telnet from outside world to server IP

i see logs in ASA

 

%ASA-3-710003: TCP access denied by ACL from 70.75.x.x/49966 to outside:96.51.x.x/23

 

i have ACL that shows no hit counters

 

access-list outside_access_in extended permit tcp any object server eq telnet

pri/act/ASA1#                                       sh run access-group
access-group outside_access_in in interface outside
 

Current NAT config

sh run nat
nat (outside,any) source static vpn_pool_ip vpn_pool_ip destination static inside inside description Allow Ping and SSH to 10.0.0.1 using Anyconnect with Full Tunnel
nat (inside,outside) source static inside inside destination static vpn_pool_ip vpn_pool_ip
nat (inside,outside) source static inside inside destination static inside inside
nat (outside,outside) source dynamic vpn_pool_ip interface description Allow Access to Internet using Anyconnect VPN
nat (sales,outside) source static Sales Sales destination static Sales Sales
nat (inside,outside) source dynamic inside interface description Allow R1 to ping to Internet Sites
nat (sales,outside) source dynamic Sales interface description Allow 2950 to Pint to Internet Sites
nat (sales,outside) source static Sales Sales destination static vpn_pool_ip vpn_pool_ip description Allow Ping to 2950 Switch while connected Via Anyconnect Full tunnel
!
object network server
 nat (inside,outside) static interface service tcp telnet telnet

Regards

Mahesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card