ASA5520 config nat but also can not access inside webserver from outside

Unanswered Question
Feb 11th, 2009

Webserver Real Inside address:

Webserver static translation address: 999.25.160.166.

I can ping 999.25.160.166 from Internet and remote desktop access server 999.25.160.166 with port 3389 .

But I can not web access server 999.25.160.166, and I am sure web service in 999.25.160.166 is ok , i can web access server inside .

My configuration :

ASA Version 7.2(4)


interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 999.25.160.165


interface GigabitEthernet0/1

nameif inside

security-level 100

ip address


boot system disk0:/asa724--k8.bin

boot system disk0:/asa722-k8.bin

ftp mode passive

access-list inside_access_in extended permit ip host any

access-list inside_access_in extended permit ip

access-list outside_access_in extended permit tcp any interface outside eq 3389

access-list outside_access_in extended permit tcp any interface outside eq telnet

access-list outside_access_in extended permit tcp any host 999.25.160.164 eq 81

access-list outside_access_in extended permit ip any host 999.25.160.166

pager lines 24

logging enable

logging asdm debugging

mtu outside 1500

mtu inside 1500

ip local pool vpnpool mask

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400


global (outside) 1 interface

nat (inside) 1

static (inside,outside) tcp interface 3389 3389 netmask

static (inside,outside) tcp 999.25.160.164 81 81 netmask

static (inside,outside) tcp interface telnet telnet netmask

static (inside,outside) 999.25.160.166 netmask

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 999.25.160.161 1

route inside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

http server enable

http outside

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet inside

telnet timeout 5

ssh outside

ssh inside

ssh timeout 5

console timeout 0


class-map inspection_default

match default-inspection-traffic



policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp


service-policy global_policy global

prompt hostname context


: end

Thanks for Any suggestion.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jithesh K Joy Wed, 02/11/2009 - 19:57


Your NAting& access-list are good.

Please add http inspection to the policy-map global_policy.

policy-map global_policy

class inspection_default

inspect http




This Discussion