cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

516
Views
0
Helpful
6
Replies
network770
Beginner

static nat not working

I have a very simple request on 8.6 code, I need to translate a public ip address to a private on a given port, I have the following :

object network obj-TEST

host 192.168.10.10

!

object network obj-TEST

nat (inside,outside) static 88.88.88.88

!

access-list incoming_outside extended permit tcp any host 88.88.88.88 eq 3389

access-group incoming_outside in interface outside

yet I am not able to RDP to 88.88.88.88 from the outside.

I checked that 192.168.10.10 is reachable from the firewall and the port is open from the inside

any idea what's wrong with this config?

object network obj-TEST
nat (inside,outside) static 206.172.40.93
6 REPLIES 6
Collin Clark
Advisor

Try changing the acl from 88.88.88.88 to 192.168.10.10







Sent from Cisco Technical Support Android App

Andrew Phirsov
Rising star

You should always use real, not mapped addresses in ACLs when working with post 8.3 code, so do what Colin said.

It's working now. it looks strange to allow a private ip address incoming to the outside interface, I can't seem to wrap my head around this

Hi Ronni,

The reason for this is the fact that NAT and ACL operations have changed in the new software.

When a connection arrives on the ASA to a NATed destination address the ASA first UNTRANSLATES that public NAT IP address to the local IP address.

So after that phase of processing the packet the destination address is already the local IP address.

When the ASA reaches the ACL phase it will therefore need to allow the traffic to the REAL IP address rather than the NAT IP address.

Hope this helps

- Jouni

i need dmz to inside configuration

DMZ Interface IP 10.1.1.1/24

DMZ Server IP 10.1.1.254

Inside Interface 192.168.11.249

Thanks and regrds

Hi,

Please start a new discussion for your own questions that arent related to the original topic

Depending on your software level of your firewall you might not need any NAT configuration.

- Jouni

Create
Recognize Your Peers
Content for Community-Ad