Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3752
Views
0
Helpful
16
Replies

Static NAT problem due to new version

Go to solution
netbin2009
Level 1
Level 1

‎10-12-2011 06:14 AM - edited ‎03-11-2019 02:36 PM

Hi!

i´m trying to make a traditional port forward (http to http) on our new asa5510. Previous releases off 5505 and software prior 8.3 was no problem. Could someone tell me how do it in new 8.4 version? I ám a rookie on the new ASA series!

My setup is as this (config not in full info):

interface Ethernet0/0

nameif outside

security-level 0

ip address 87.96.xxx.75 255.255.255.128

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.200.2 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list outside-entry extended permit tcp any host 87.96.xxx.75 eq www

access-list outside_access_in extended permit tcp any interface outside eq www

access-list outside_access_in_1 extended permit tcp any any eq www

nat (inside,sll) source dynamic obj_any interface

!

object network obj_any

nat (inside,outside) dynamic interface

object network SRV02

nat (outside,inside) static interface service tcp www www

access-group outside_access_in_1 in interface outside

access-group inside_access_in in interface inside

access-group sll_access_in in interface sll

route outside 0.0.0.0 0.0.0.0 87.96.xxx.1 1

If nothing makes sense in this configuration please give example on how to do it correct. The object on the inside is SRV02 wich is running a webserver on port 80. So i want to open upp for http on outside interface and forward that traffic to srv02 (inside webserver)

I aslo tried to use Public Server Wizard but i fail even there. Se attached image.

Labels:
Preview file
59 KB
0 Helpful
16 Replies 16

Go to solution
netbin2009
Level 1
Level 1
In response to varrao

‎10-14-2011 01:29 AM

Thanks for pointing it out. Inside interface do have ip 192.168.200.2 and the old firewall is serving 192.168.200.1 Clients/servers on inside is configured towards the "old" default gateway....

So your latest nat suggestion really make inside interface listen to inside traffic on specific port and could pick up that. Is it the dynamic statement that do this magic?

Thanks again!

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to netbin2009

‎10-14-2011 01:34 AM

Hi Fredrik,

Yes, in the nat statement, the users coming from internet are dynamically patted to the inside interface, while the destination server is statically port forwarded to the outside interface. So teh serevr woudl see the request coming from your inside interface.

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card