09-09-2022 08:53 PM
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address x.x.x.3 255.255.255.0
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/4
nameif dmz
security-level 50
ip address 192.168.101.225 255.255.255.0
!
ftp mode passive
object network WWW-EXT
host x.x.x.7
object network WWW-INT
host 192.168.101.225
access-list OUTSIDE extended permit tcp any object WWW-INT eq www
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network WWW-INT
nat (dmz,outside) static WWW-EXT service tcp www www
!
nat (inside,outside) after-auto source dynamic any interface
nat (dmz,outside) after-auto source dynamic any interface
access-group OUTSIDE in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.8 1
09-10-2022 09:51 AM - edited 09-10-2022 10:01 AM
@davidzw98 The packet-tracer confirms it should work now, so what else do you have in your environment that could be causing an issue?
Regardless if you don't think disabling the local server firewall will be an issue, test it to confirm.
Take a packet capture on the server to confirm whether packets even reach the server from the internet.
09-10-2022 10:09 AM
This is what I got:
ciscoasa#
ciscoasa#
09-10-2022 10:17 AM - edited 09-10-2022 10:21 AM
@davidzw98 thats a packet tracer output not the requested packet capture. Regardless, the first packet-tracer you using the correct destination IP address and therefore the result is allow, but the second packet-tracer you are using incorrect destination IP address. In packet-tracer you don't specify the destination as the real IP address if using NAT.
09-10-2022 10:26 AM
OK. Thank you! I will try to see if I can figure out.
At mean time, just let you know ,
I bought this ASA5508 from ebay brand new. Is it something internally not allow me to use it?
Haven't registered PAK and PIN, don't know how to do it.
eBay item number:193807253089
New message from: cnedirect
Hello
Unfortunately this is not something we could help with,
I will mention we have sold roughly 500 of these and never had any issues
with the buyers having problems with this. Unfortunately we do not have
any Cisco experts on staff and don't specialize in Cisco,
we get Cisco overstock product from time to time.
Thank You
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide