cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
390
Views
0
Helpful
6
Replies

Static translations not working

chevymannie
Level 1
Level 1

I have configured some static translations for my new ASA 5510 which is on our new internet ciruit. For some reason, I see hits on my acl but get no response from internal hosts. I get hits on my inbound acl but still no response on the other end. Anyone have any ideas to help me? I called cisco and according to TAC my configuration is correct. I'm not sure what to do.

6 Replies 6

Tshi M
Level 5
Level 5

do you mind posting the relevant config and also the sh xlate? Have you used ASDM to trace the packets?

static (inside,outside) tcp 66.x.x.67 smtp 192.168.0.x smtp netmask 255.255.255.255

static (inside,outside) tcp 66.x.x.67 www 192.168.0.xwww netmask 255.255.255.255

static (inside,outside) tcp 66.x.x.67 https 192.168.0.x https netmask 255.255.255.255

static (dmz,outside) tcp 66.x.x.68 www 66.x.x.68 www netmask 255.255.255.255

static (dmz,outside) tcp 66.x.x.68 ftp 66.x.x.68 ftp netmask 255.255.255.255

static (inside,outside) tcp 192.168.0.x 3389 66.x.x.69 3389 netmask 255.255.255.255

global (outside) 1 interface

global (dmz) 1 interface

access-list inbound extended permit tcp any host 66.x.x.67 eq smtp

access-list inbound extended permit tcp any host 66.x.x.67 eq www

access-list inbound extended permit tcp any host 66.x.x.67 eq https

access-list inbound extended permit tcp any host 66.x.x.68 eq www

access-list inbound extended permit tcp any host 66.x.x.68 eq ftp

access-list inbound extended permit tcp any host 66.x.x.69 eq 3389

PAT Global 66.x.x.67(25) Local 192.168.0.x(25)

PAT Global 66.x.x.67(80) Local 192.168.0.x(80)

PAT Global 66.x.x.67(443) Local 192.168.0.x(443)

PAT Global 66.x.x.68(80) Local 66.x.x.68(80)

PAT Global 66.x.x.68(21) Local 66.x.x.68(21)

PAT Global 192.168.0.213(3389) Local 66.x.x.69(3389)

I'm not too concerned about the DMZ right now I'm just trying to get the rest working first.

I will start by fixing your last static entry.

I am going to assume that you have nat (inside) 1 configured as well?

Can you access the Internet from that ASA?

Yes and the last static entry isn't a concern to me right now. The first few are.

I surely understand your frustration. From what you posted, your config looks good to me as well. Is your inside switch using PBR? Could please post your sh access-list?

regards,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: