07-29-2015 01:46 PM
Solved! Go to Solution.
07-30-2015 07:00 AM
It's not open by default, but you already allowed it.
Remember that all you need is a translation which you have:
object network Webserver host 192.168.1.19 nat (inside,outside) static 99.99.99.99
And the Access-list allowing access to the desired ports:
access-list outside_access_in permit tcp any object Webserver eq www access-list outside_access_in permit tcp any object Webserver eq 8080 access-group outside_access_in in interface outside
07-29-2015 03:03 PM
Although if you configured what you have shown, it's not what the ASA is using. Because each object can only hold one nat-statement, only the one with the interface keyword should be active.
The ACE is ok.
07-29-2015 09:14 PM
thanks i will delete the nat (inside,outside) static 99.99.99.99 line and try again.
Dont we have to define nat our local ip with external ip
What is the best way to troubleshoot nat.
07-29-2015 09:46 PM
What Karsten means to say is if you configure two nat statements under object like this , it will have the nat with interface keyword as active nat.
You can verify this via "show run nat "
In case you want to use 99.99.99.99 for the webserver,try removing interface command and add static 99.99.99.99 command listed previously.
For troubleshooting nat:-
1. Check output of "show xlate":
This will show you whether the natting is showing correct mapping of public to priavte IP.
2.Debug nat :
To see the detailed logs of natting on the ASA.
In case you are still having trouble accessin server,
a. run this command : cap asp type asp-drop all
b. test the server via internet.
3. run : show cap asp | in 192.168.1.9
This will show if there are any packets getting dropped on the firewall.
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
07-30-2015 06:27 AM
07-30-2015 06:33 AM
07-30-2015 06:50 AM
Thanks Karsten,
That means port 80 will be open by default or i have to create another new object for that.
Thanks
07-30-2015 07:00 AM
It's not open by default, but you already allowed it.
Remember that all you need is a translation which you have:
object network Webserver host 192.168.1.19 nat (inside,outside) static 99.99.99.99
And the Access-list allowing access to the desired ports:
access-list outside_access_in permit tcp any object Webserver eq www access-list outside_access_in permit tcp any object Webserver eq 8080 access-group outside_access_in in interface outside
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide