Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
573
Views
0
Helpful
1
Replies

ASA 5515: How to nat service group objects

Sina Owolabi
Level 1
Level 1

‎03-31-2016 02:03 AM - edited ‎03-05-2019 03:41 AM

Hi

I have a load balancer I am trying to nat multiple ports to (at this time, http and https) behind an ASA 5515.

I have created a service group for the nat ports:

object-group service webServices
  service-object tcp destination eq www
  service-object tcp destination eq https

I created an object for the host:

object network lb01
 host 192.168.72.13

and an access-list rule:

access-list outside_in extended permit object-group webServices any object nglb01

But when I try to add a nat rule for the network object like this:

nat (dmz,outside) static interface service tcp webServices webServices

It returns errors.

Please what is the correct way to do this? I want to be able to NAT ports 80, and 443 to the load balancer.

Labels:
0 Helpful
1 Reply 1

Sina Owolabi
Level 1
Level 1

‎04-01-2016 02:23 AM

This is what I ended up doing, which works, despite complaints of something overlapping from the ASA. It doesn't conflict with anything else.

I am worried if later rules might make trouble if they are similar. Any advice?

My config:

object-group service webServices
service-object tcp destination eq www
service-object tcp destination eq https

object network lb01
host 192.168.72.13

object network lb01
nat (dmz,outside) static outside.27  ** source of ASA overlap complaints

object network outside.27
host 154.X.X.27

access-list outside_in extended permit object-group webServices any object lb01 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card