I test it live. I still have

ziaeecABC · ‎11-08-2014

I got new asa 5512 with ver 9.1 on it and I am trying to do a static nat, but it did not work. here is my config:

object network hst-192.168.0.60
host 192.168.0.60
nat (inside,outside) static 173.x.x.x

object-group service svcgrp-192.168.0.60-tcp tcp
port-object eq 80
port-object eq 443

access-list outside_access_in extended permit tcp any object hst-192.168.0.60 object-group svcgrp-192.168.0.60-tcp
access-group outside_access_in in interface outside

------------

I have applied this: nat (inside,outside) after-auto source dynamic any interface
but did not help

--------------

(I also have an old one with ver 7 with working config that I can post if that helps)

Any ideas. Thank you

Karsten Iwen · ‎11-09-2014

The config looks fine.

How did you test it?
What is the output of "ping tcp 192.168.0.60 80" and "ping tcp 192.168.0.60 443" from the ASA?
Can you reach the ASA from your Test-PC?
What is the output of "packet-tracer input outside tcp 1.2.3.4 1234 173.x.x.x 80"?

ziaeecABC · ‎11-09-2014

I test it live. I still have the old firewall and can still switch between them. Note that server is live and can ping it: 192.168.0.60. with both ports from this new ASA.

Also the packet-tracer doesn't show error when running it from the asa. but when testing it from outside it doesn't work. that ip is a static public ip available from the outside router and is working fine with the old firewall (ver 7) any other ideas?

Note: if I do - nat (inside,outside) static 173.x.x.x service www www - it works, but I need this ip to be just for that internal server

Static nat ver 9.1 droped