Cannot get Alias or Static NAT inside to work

Answered Question

ok, so I have a web server with an internal IP of 10.x.x.x and it has a static NAT to the outside with a public 216.x.x.x address on the ASA - my internal hosts cannot access it via the public address. so I tried to nat it like this

static (inside,inside) 216.x.x.x 10.x.x.x netmask 255.255.255.255

and it did not work

so I did

alias (inside) 216.x.x.x 10.x.x.x 255.255.255.255


and I can ping it from an inside host, but still cannot access http://216.x.x.x - when I ping 216.x.x.x it replies with 10.x.x.x address


if I put http://10.x.x.x it works fine


it is an ASA 5510 Security+ on 8.21

Correct Answer by acomiskey about 7 years 6 months ago

same-security-traffic permit intra-interface

static (inside,inside) 216.x.x.x 10.x.x.x netmask 255.255.255.255

global (inside) 1 interface

nat (inside) 1 0 0

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
acomiskey Wed, 08/05/2009 - 08:18

same-security-traffic permit intra-interface

static (inside,inside) 216.x.x.x 10.x.x.x netmask 255.255.255.255

global (inside) 1 interface

nat (inside) 1 0 0

ok, the static command works to replace the alias, I had the same security permit intra and inter interface, changed the inside nat pool from 0 to 1 and it is working I can ping and http


will this affect my outbound identity addresses? like if I have a web filter outside the ASA will it now see all traffic coming from the ASA interface instead of the identity of the client PC?


I wasn't doing any NAT overload on the ASA, there is a router from the ISP doing that from their IP pool. I was just doing identity nat

acomiskey Wed, 08/05/2009 - 10:16

"will this affect my outbound identity addresses?"


-No. Only traffic from inside to inside is affected.

acomiskey Wed, 08/05/2009 - 10:48

Post your nat/global config please.


You should be able to leave your existing nat 0 then add...


nat (inside) 1 0 0

global (inside) 1 interface

global (inside) 1 interface

nat (management) 0 0.0.0.0 0.0.0.0

nat (inside) 0 0.0.0.0 0.0.0.0

static (inside,outside) 216.x.x.x 10.17.1.42 netmask 255.255.255.255

static (inside,outside) 216.x.x.x 10.17.1.45 netmask 255.255.255.255

static (inside,outside) 216.x.x.x 10.17.1.43 netmask 255.255.255.255

static (inside,outside) 216.x.x.x 10.17.1.46 netmask 255.255.255.255

static (inside,outside) 216.x.x.x 10.17.1.44 netmask 255.255.255.255

static (inside,outside) 216.x.x.x 10.17.1.33 netmask 255.255.255.255

static (inside,inside) 216.x.x.x 10.17.1.42 netmask 255.255.255.255


if I change to

nat (inside) 1 0 0

I can't get to the internet on any hosts that don't have a static, I don't really want to overload on my outside interface on the ASA because I have a fatpipe for load balancing outside the asa and a web filter.

Actions

This Discussion