ASA 5505 Port Forwarding, NAT error

support · ‎03-06-2009

Hi.

I try to configure Port forwarding on a ASA 5505.

Inside it's a SBS 2008 that need to be reached from the outside on port 25, 80, 443 and 987.

I am using ASDM to configure, but running Packet Tracer gives an NAT error that drives me crazy. See attachments for error and configuration.

Running Config is:

Result of the command: "show running-config"

: Saved

:

ASA Version 7.2(4)

names

name 192.168.1.101 SBS2008 description SBS 2008 server

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 82.xxx.xxx.xxx 255.255.255.248

!

interface Vlan12

no forward interface Vlan1

nameif dmz

security-level 10

ip address 10.0.0.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 12

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns domain-lookup inside

dns domain-lookup dmz

dns server-group DefaultDNS

name-server 217.144.239.98

name-server 82.xxx.xxx.xxx

domain-name default.domain.invalid

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.128

access-list outside_access_in remark Open http for SBS 2008

access-list outside_access_in extended permit tcp any host SBS2008 eq www

access-list outside_access_in remark Open for Companyweb on SBS2008

access-list outside_access_in extended permit tcp any host SBS2008 eq 987

access-list outside_access_in remark Open SMTP to SBS2008

access-list outside_access_in extended permit tcp any host SBS2008 eq smtp

access-list outside_access_in remark Open https to SBS 2008

access-list outside_access_in extended permit tcp any host SBS2008 eq https

pager lines 24

....

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface smtp SBS2008 smtp netmask 255.255.255.255

static (inside,outside) tcp interface www SBS2008 www netmask 255.255.255.255

static (inside,outside) tcp interface https SBS2008 https netmask 255.255.255.255

static (inside,outside) tcp interface 987 SBS2008 987 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 82.xxx.xxx.xxx 1

timeout xlate 3:00:00

Can someone help?

Best regards NAN

celiocarreto · ‎03-06-2009

Hi,

remove

nat (inside) 0 access-list inside_nat0_outbound

maybe it helps. This No_Nat-rule makes no sense, because the network mentioned in the acl is part of the inside network.

The rest of your config seems to be correct.

Regards, Celio

support · ‎03-06-2009

Thank's for a quick answer, Celio!

In ASDM, which rule to remove?

I am not good at the commands

Regards NAN

support · ‎03-06-2009

Hi.

I have removed the rule nat (inside) 0 access-list inside_nat0_outbound, but still the same error.

Need desperately help.

NAN

support · ‎03-07-2009

SOLVED

In ACL, changed from SBS2008 to external address.

This solved the problem