cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
660
Views
0
Helpful
7
Replies
macboy276
Beginner

web server NAT problem


I have configured new cisco asa 5512. i cant access our website from outside. We host our website internally
here is how i configured. Webserver internal IP is 192.168.1.19
in following config i changed my web server public ip to 99.99.99.99
Can anybody help me with this. 
 
object network Webserver
host 192.168.1.19
        nat (inside,outside) static 99.99.99.99
        nat (inside,outside) static interface service tcp www www
      access-list outside_access_in permit tcp any object Webserver eq www
    access-group outside_access_in in interface outside
1 ACCEPTED SOLUTION

Accepted Solutions

It's not open by default, but you already allowed it.

Remember that all you need is a translation which you have:

object network Webserver
 host 192.168.1.19
 nat (inside,outside) static 99.99.99.99

And the Access-list allowing access to the desired ports:

access-list outside_access_in permit tcp any object Webserver eq www
access-list outside_access_in permit tcp any object Webserver eq 8080
access-group outside_access_in in interface outside

View solution in original post

7 REPLIES 7
Karsten Iwen
VIP Mentor

Although if you configured what you have shown, it's not what the ASA is using. Because each object can only hold one nat-statement, only the one with the interface keyword should be active.

The ACE is ok.

thanks i will delete the nat (inside,outside) static 99.99.99.99 line and try again.

Dont we have to define nat our local ip with external ip

What is the best way to troubleshoot nat.

 

What Karsten means to say is if you configure two nat statements under object like this , it will have the nat with interface keyword as active nat.

You can verify this via "show run nat "

In case you want to use 99.99.99.99 for the webserver,try removing interface command and add static 99.99.99.99 command listed previously.

For troubleshooting nat:-
1. Check output of "show xlate":
This will show you whether the natting is showing correct mapping of public to priavte IP.

2.Debug nat :
To see the detailed logs of natting on the ASA.

In case you are still having trouble accessin server, 
a. run this command : cap asp type asp-drop all
b. test the server via internet.
3. run : show cap asp | in 192.168.1.9
 
This will show if there are any packets getting dropped on the firewall.


Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

So my final nat should be 
object network Webserver
host 192.168.1.19
        nat (inside,outside) static 99.99.99.99
        access-list outside_access_in permit tcp any object Webserver eq www
        access-group outside_access_in in interface outside
 
i also want to open port 8080 for this server.
Thanks in advance

> i also want to open port 8080 for this server.
 
just add an additional line to your ACL:
access-list outside_access_in permit tcp any object Webserver eq 8080

Thanks Karsten,

That means port 80 will be open by default or i have to create another new object for that.

Thanks

It's not open by default, but you already allowed it.

Remember that all you need is a translation which you have:

object network Webserver
 host 192.168.1.19
 nat (inside,outside) static 99.99.99.99

And the Access-list allowing access to the desired ports:

access-list outside_access_in permit tcp any object Webserver eq www
access-list outside_access_in permit tcp any object Webserver eq 8080
access-group outside_access_in in interface outside

View solution in original post

Content for Community-Ad