01-13-2020 07:53 PM - edited 02-21-2020 09:49 AM
Dears,
I met a problem of static NAT, my asa version is 9.6 . The topology:
And configuration of devices:
[R1]v15.2
int g1/0
ip address 10.0.0.1 255.0.0.0
no shutdown
===========================
[asa]
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.0.0.2 255.0.0.0
no shutdown
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 20.0.0.1 255.0.0.0
no shutdown
!
object network WEB
host 20.0.0.2
nat (inside,outside) static interface service tcp 80 80
nat (inside,outside) source dynamic any interface
!
access-list ICMP-WEB extended permit icmp any4 any4
access-list ICMP-WEB extended permit tcp any4 any4 eq www
access-list ICMP-WEB extended permit tcp any4 any4 eq https
access-list ICMP-WEB extended permit tcp any4 eq www any4
access-list ICMP-WEB extended permit tcp any4 eq https any4
access-group ICMP-WEB global
!
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
===========================
[R2]v15.2
int g1/0
ip address 20.0.0.2 255.0.0.0
no shutdown
!
no ip routing
ip default-gateway 20.0.0.1
===========================
I have completed PAT on ASA. R2 can ping R1(10.0.0.1) that has ICMP reply, and R2 can telnet 20.0.0.2 80(R2-self).
R1#telnet 10.0.0.2 80
Trying 10.0.0.2, 80 ...
%Connection timed out; remote host not responding
R1#
R2#telnet 20.0.0.2 80
Trying 20.0.0.2, 80 ... Open
get
HTTP/1.1 400 Bad Request
Date: Tue, 14 Jan 2020 10:51:37 GMT
Server: cisco-IOS
Accept-Ranges: none
400 Bad Request
[Connection to 20.0.0.2 closed by foreign host]
R2#
===============================
But I don't know why R1 can not telnet ASA(10.0.0.2) 80.
Regards.
01-13-2020 10:03 PM
ASA is not running any webservice on port 80 thats why you cannot. Can you please elaborate on what are you trying to achieve so we can help you more ?
01-13-2020 11:12 PM
01-13-2020 10:05 PM
Hello!
I think you should remove second nat defintion in object-nat configuration that is:! object network WEB host 20.0.0.2 nat (inside,outside) static interface service tcp 80 80 !
01-13-2020 11:13 PM - edited 01-13-2020 11:27 PM
Hi danilov.do,
"I think you should remove second nat defintion in object-nat configuration"
But ASA has only PAT if remove it. Without static NAT.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: