Static translations not working

Unanswered Question
Jan 21st, 2009

I have configured some static translations for my new ASA 5510 which is on our new internet ciruit. For some reason, I see hits on my acl but get no response from internal hosts. I get hits on my inbound acl but still no response on the other end. Anyone have any ideas to help me? I called cisco and according to TAC my configuration is correct. I'm not sure what to do.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Tshi M Wed, 01/21/2009 - 12:50

do you mind posting the relevant config and also the sh xlate? Have you used ASDM to trace the packets?

chevymannie Wed, 01/21/2009 - 12:55

static (inside,outside) tcp 66.x.x.67 smtp 192.168.0.x smtp netmask 255.255.255.255

static (inside,outside) tcp 66.x.x.67 www 192.168.0.xwww netmask 255.255.255.255

static (inside,outside) tcp 66.x.x.67 https 192.168.0.x https netmask 255.255.255.255

static (dmz,outside) tcp 66.x.x.68 www 66.x.x.68 www netmask 255.255.255.255

static (dmz,outside) tcp 66.x.x.68 ftp 66.x.x.68 ftp netmask 255.255.255.255

static (inside,outside) tcp 192.168.0.x 3389 66.x.x.69 3389 netmask 255.255.255.255

global (outside) 1 interface

global (dmz) 1 interface

access-list inbound extended permit tcp any host 66.x.x.67 eq smtp

access-list inbound extended permit tcp any host 66.x.x.67 eq www

access-list inbound extended permit tcp any host 66.x.x.67 eq https

access-list inbound extended permit tcp any host 66.x.x.68 eq www

access-list inbound extended permit tcp any host 66.x.x.68 eq ftp

access-list inbound extended permit tcp any host 66.x.x.69 eq 3389

PAT Global 66.x.x.67(25) Local 192.168.0.x(25)

PAT Global 66.x.x.67(80) Local 192.168.0.x(80)

PAT Global 66.x.x.67(443) Local 192.168.0.x(443)

PAT Global 66.x.x.68(80) Local 66.x.x.68(80)

PAT Global 66.x.x.68(21) Local 66.x.x.68(21)

PAT Global 192.168.0.213(3389) Local 66.x.x.69(3389)

I'm not too concerned about the DMZ right now I'm just trying to get the rest working first.

Tshi M Wed, 01/21/2009 - 13:07

I am going to assume that you have nat (inside) 1 configured as well?

Can you access the Internet from that ASA?

chevymannie Wed, 01/21/2009 - 13:10

Yes and the last static entry isn't a concern to me right now. The first few are.

Tshi M Wed, 01/21/2009 - 13:30

I surely understand your frustration. From what you posted, your config looks good to me as well. Is your inside switch using PBR? Could please post your sh access-list?

regards,

Actions

This Discussion