03-21-2021 06:49 AM - edited 03-21-2021 06:50 AM
Hi. I have cisco ASA with 4 vlans (DMZ, inside, outside, WiFi - unused). I have also NextCloud server in my DMZ vlan which i want to be accessible from outside. I managed that on Cisco Router but i'm fresh with Cisco ASA. I tried to do it how official Cisco documentation says:
Cisco documentation
and i checked lot of other pages. And it just doesn't work.
NextCloud is 192.168.2.3
First i tried with command :
Czernobyl(config)# object network nextcloud_public Czernobyl(config-network-object)# host A.B.C.D(my hidden public IP) Czernobyl(config-network-object)# exit Czernobyl(config)# object network nextcloud_private Czernobyl(config-network-object)# host 192.168.2.3 Czernobyl(config-network-object)# nat (DMZ,outside) static nextcloud_public service tcp 443 443 ERROR: Address A.B.C.D overlaps with outside interface address. ERROR: NAT Policy is not downloaded
So i have used "interface" keyword to workaround that - it has accepted the command, i applied some ACL and finally still doesn't work. Here are my outputs:
#show version
Device Manager Version 7.9(2)152
Compiled on Wed 13-Mar-13 07:45 by builders
System image file is "disk0:/asa911-4-k8.bin"
Config file at boot was "startup-config"
Czernobyl up 42 mins 53 secs
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz,
Internal ATA Compact Flash, 128MB
# show nat
Czernobyl# show nat
Manual NAT Policies (Section 1)
1 (DMZ) to (outside) source dynamic obj_any interface
translate_hits = 24, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (DMZ) to (outside) source static nextcloud interface service tcp https https
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source dynamic obj_any interface
translate_hits = 811, untranslate_hits = 3
#show running-config
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd option 43 ip 10.20.0.2 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 95.216.71.38 source outside prefer
ssl encryption 3des-sha1 aes128-sha1
webvpn
anyconnect-essentials
@@@@@@@@@@@@@@@@@@@@@@@@@@
!
class-map inspection_default
match default-inspection-traffic
Anybody has any ideas?
Solved! Go to Solution.
03-21-2021 10:30 AM - edited 03-21-2021 10:33 AM
Hello
lol apologies i posted the wrong nat statement is was meant to state
no nat (DMZ,outside) source dynamic obj_any interface
object network nextcloud
nat (DMZ,outside) static interface service tcp https https (already applied)
03-21-2021 08:14 AM
Hello
try making the following changes:
No nat (inside,outside) dynamic interface object network nextcloud
nat (inside,outside) dynamic interface
03-21-2021 08:23 AM
I don't get it. There is nowhere mentioned about DMZ. I mean "inside" is my local vlan where i keep private devices. Nextcloud is in DMZ vlan.
03-21-2021 10:30 AM - edited 03-21-2021 10:33 AM
Hello
lol apologies i posted the wrong nat statement is was meant to state
no nat (DMZ,outside) source dynamic obj_any interface
object network nextcloud
nat (DMZ,outside) static interface service tcp https https (already applied)
03-21-2021 11:20 AM
Ok. works. But...
I don't know why i always have a problems with NAT...On the c2800 i had also problem with that : or it was working static PAT only or only overload. It took me about 3 days to manage it and finally i have no idea what was wrong because it has fixed by itself after some hour of doing nothing (please dont ask i really dont know how it happened :D)
If i now apply there statement of dynamic nat somehow it will combine together and will work overload and static PAT?
03-21-2021 12:44 PM - edited 03-21-2021 12:45 PM
Hello
You can be more specific
object network web-public
host <public ip address>
object network nextcloud
nat (DMZ,outside) static web-public service tcp https https
object network dmz-lan
range 192.168.2.4 192,168.2.254 (note: static dmz host not included)
nat (DMZ,outside) dynamic interface
03-22-2021 01:18 AM
Dear Raresz,
Allow me to explain a little about Nat rules priorities on ASA.
There are three nat types:
1- Manual Nat.
it's first prioritized and preferred over other nat rules. It's displayed under Section 1 on "Show nat"
2- Auto Nat
it's second prioritized and preferred after Manual. these nat rules are created within Objects and it's displayed under Section 2 on "Show nat"
3- Manual Nat with "after-auto" keyword
it's last prioritized. it's displayed under Section 3 on "Show nat"
Also, in Auto-Nat rules there are prioritization as following:
- Static is prioritized and preferred over Dynamic.
- more specific real IP
In your configurations, you can apply two auto-nat rules
1- auto-nat for static PAT for nextcloud server
Object Network Nextcloud-PAT
host 192.168.2.3
Nat(dmz,outisde) static interface service tcp https https
2- Auto-nat for dynamic PAT for DMZ subnet
Object Network DMZ-Pat
subnet 192.168.2.0 255.255.255.0
Nat (Dmz,outside) dynamic interface
with the above rules, the static rule will be prioritized first and then the dynmaic will take effect. you can confirm this by issuing "show Nat" and you will see the static rule is placed before dynamic one..
Best Regards
Asem ..
03-22-2021 12:10 PM
Ok thanks guys for a proper answers. Will be fighting with that soon. I wish only Cisco ASA had same cli like IOS on routers...the thing is i don't really want to learn ASA logic too much because i'm preparing for CCNA exam so that would really harm my mind. I just want to focus on router/switch IOS for now. Anyway thanks a lot!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide