Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1646
Views
0
Helpful
4
Replies

Static NAT on ASA

Chin Chang
Level 1
Level 1

‎01-13-2020 07:53 PM - edited ‎02-21-2020 09:49 AM

Dears,
I met a problem of static NAT, my asa version is 9.6 . The topology:

topology.png

And configuration of devices:

[R1]v15.2
int g1/0
 ip address 10.0.0.1 255.0.0.0
 no shutdown
===========================
[asa]
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 10.0.0.2 255.0.0.0

 no shutdown
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 20.0.0.1 255.0.0.0

 no shutdown
!
object network WEB
 host 20.0.0.2
 nat (inside,outside) static interface service tcp 80 80
 nat (inside,outside) source dynamic any interface
!
access-list ICMP-WEB extended permit icmp any4 any4
access-list ICMP-WEB extended permit tcp any4 any4 eq www
access-list ICMP-WEB extended permit tcp any4 any4 eq https
access-list ICMP-WEB extended permit tcp any4 eq www any4
access-list ICMP-WEB extended permit tcp any4 eq https any4
access-group ICMP-WEB global
!
http server enable
http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside
===========================
[R2]v15.2
int g1/0
ip address 20.0.0.2 255.0.0.0
no shutdown
!
no ip routing
ip default-gateway 20.0.0.1

===========================

I have completed PAT on ASA. R2 can ping R1(10.0.0.1) that has ICMP reply, and R2 can telnet 20.0.0.2 80(R2-self).

R1#telnet 10.0.0.2 80
Trying 10.0.0.2, 80 ...
%Connection timed out; remote host not responding

R1#

R2#telnet 20.0.0.2 80
Trying 20.0.0.2, 80 ... Open
get
HTTP/1.1 400 Bad Request
Date: Tue, 14 Jan 2020 10:51:37 GMT
Server: cisco-IOS
Accept-Ranges: none

400 Bad Request
[Connection to 20.0.0.2 closed by foreign host]
R2#

===============================

But I don't know why R1 can not telnet ASA(10.0.0.2) 80.

 

Regards.

0 Helpful
4 Replies 4

Muhammad Awais Khan
Cisco Employee
Cisco Employee

‎01-13-2020 10:03 PM

ASA is not running any webservice on port 80 thats why you cannot. Can you please elaborate on what are you trying to achieve so we can help you more ?

0 Helpful

Chin Chang
Level 1
Level 1
In response to Muhammad Awais Khan

‎01-13-2020 11:12 PM

Hi Muhammad Awais Khan,
"ASA is not running any webservice on port 80 thats why you cannot."
However, I have set http server enable, http 0.0.0.0 0.0.0.0 outside. ASA is running http, right?

"Can you please elaborate on what are you trying to achieve so we can help you more ?"
I just doing lab. HAHA
0 Helpful

danilov.do
Level 1
Level 1

‎01-13-2020 10:05 PM

Hello!

I think you should remove second nat defintion in object-nat configuration that is:
!
object network WEB
 host 20.0.0.2
 nat (inside,outside) static interface service tcp 80 80
!

--
Dmitry.
0 Helpful

Chin Chang
Level 1
Level 1
In response to danilov.do

‎01-13-2020 11:13 PM - edited ‎01-13-2020 11:27 PM

Hi danilov.do,
"I think you should remove second nat defintion in object-nat configuration"
But ASA has only PAT if remove it. Without static NAT.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card