cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2739
Views
0
Helpful
10
Replies

Port Forwarding

johnson955
Level 1
Level 1

I have read the documentation and tried many things.

All i want currently is to forward port 80 to an internal webserver.

I use logmein to access my home pc to the test the connection.

The log file just says

TCP access denied by ACL from xx.xx.xx.143 to outside xx.xx.xx.195/80

I can access the internet from the internal computer just fine.

I also have it working with the webvpn.

I am not a Cisco person so i prefer working through the ASDM

: Saved
:
ASA Version 8.3(1)
!
hostname ciscoasa
domain-name bongards.com
enable password  encrypted
passwd  encrypted
names
!
interface Vlan1
nameif inside
security-level 99
ip address 192.168.1.38 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 12.28.106.195 255.255.255.224
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 12
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.1.27
name-server 192.168.1.37
domain-name bongards.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-152.152.152.0
subnet 152.152.152.0 255.255.255.0
object network NETWORK_OBJ_152.152.152.0_24
subnet 152.152.152.0 255.255.255.0
object network A_12.28.106.194
host 12.28.106.194
object network A_12.28.106.196
host 12.28.106.196
object network A_
object network PatronPage
host 192.168.1.25
description Web Server
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network PP
host 12.28.106.195
description PP
access-list vpngrp1_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 152.152.152.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 152.152.152.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip interface inside any
access-list inside_nat0_outbound extended permit ip 152.152.152.0 255.255.255.0 any
access-list inside_access_in extended permit ip 152.152.152.0 255.255.255.0 any
access-list inside_access_in extended permit ip any 152.152.152.0 255.255.255.0
access-list inside_access_in extended permit ip any 30.30.30.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any object PP eq www
access-list outside_access_in extended permit ip 152.152.152.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit ip any 152.152.152.0 255.255.255.0
access-list outside_access_in extended permit tcp interface inside any eq www inactive
access-list outside_access_in extended permit tcp any object PatronPage eq www
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any object PP eq www
access-list outside_access_in extended permit ip any object PP
access-list outside_nat0_outbound extended permit ip 152.152.152.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpngrp2_splitTunnelAcl standard permit any
access-list global_access extended permit tcp any interface outside eq www
access-list global_access extended permit icmp interface inside interface inside
access-list global_access extended permit tcp object PatronPage any eq www
access-list test extended permit ip any interface outside
access-list test2 standard permit any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool Vpn 152.152.152.1-152.152.152.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-152.152.152.0 obj-152.152.152.0
nat (inside,any) source static any any destination static obj-152.152.152.0 obj-152.152.152.0
nat (inside,outside) source static any any destination static NETWORK_OBJ_152.152.152.0_24 NETWORK_OBJ_152.152.152.0_24
nat (any,inside) source static NETWORK_OBJ_152.152.152.0_24 NETWORK_OBJ_152.152.152.0_24 dns
nat (inside,inside) source static any any
!
object network PP
nat (outside,inside) dynamic PatronPage
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 12.28.106.193 1
route inside 10.10.10.0 255.255.255.0 192.168.1.1 4
route inside 20.20.20.0 255.255.255.0 192.168.1.1 3
route inside 30.30.30.0 255.255.255.0 30.30.30.1 2
route outside 0.0.0.0 0.0.0.0 192.168.1.38 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
vpn-addr-assign local reuse-delay 180
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.39-192.168.1.254 inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
csd image disk0:/csd_3.4.2048.pkg
csd enable
port-forward RDP 3369 appserver2.bongards.com 3369 RDP
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value inside_nat0_outbound
intercept-dhcp 255.255.255.0 enable
ip-phone-bypass enable
leap-bypass enable
nem enable
webvpn
  svc firewall-rule client-interface public value inside_nat0_outbound
  svc firewall-rule client-interface private value inside_nat0_outbound
group-policy vpngrp2 internal
group-policy vpngrp2 attributes
dns-server value 192.168.1.27 192.168.1.37
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpngrp2_splitTunnelAcl
default-domain value bongards.com
webvpn
  customization value DfltCustomization
group-policy remotevpn internal
group-policy remotevpn attributes
wins-server value 192.168.1.25 192.168.1.37
dns-server value 192.168.1.27 192.168.1.37
vpn-tunnel-protocol IPSec svc
default-domain value bongards.com
group-policy remote internal
group-policy remote attributes
wins-server value 192.168.1.37
dns-server value 192.168.1.37 192.168.1.27
vpn-tunnel-protocol IPSec
default-domain value bongards.com
group-policy CiscoVPN internal
group-policy CiscoVPN attributes
wins-server value 192.168.1.25 192.168.1.37
dns-server value 192.168.1.27 192.168.1.37
vpn-tunnel-protocol IPSec
default-domain value bongards.com
username georgej password 7qWTAlO19tqEYnAV encrypted
username georgej attributes
vpn-group-policy DfltGrpPolicy
webvpn
  url-list value Admin
  customization value DfltCustomization
  sso-server none
username remotevpn password 5C9zA4WCqZXiXFOz encrypted
username Shoplogix password ux7PTSQq6U0mPa19 encrypted
username Shoplogix attributes
service-type remote-access
webvpn
  url-entry disable
  url-list value Shoplogix
  customization value DfltCustomization
username justinr password uXkNnGqn9C7DQcsV encrypted privilege 0
username justinr attributes
vpn-group-policy DfltGrpPolicy
webvpn
  file-browsing enable
  file-entry enable
  hidden-shares none
  url-list value Admin
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group vpngrp2 type remote-access
tunnel-group vpngrp2 general-attributes
address-pool Vpn
default-group-policy vpngrp2
tunnel-group vpngrp2 ipsec-attributes
pre-shared-key *****
tunnel-group CiscoVPN type remote-access
tunnel-group CiscoVPN general-attributes
address-pool Vpn
tunnel-group CiscoVPN ipsec-attributes
pre-shared-key *****
tunnel-group remotevpn type remote-access
tunnel-group remotevpn general-attributes
address-pool Vpn
default-group-policy remotevpn
tunnel-group remotevpn ipsec-attributes
pre-shared-key *****
radius-sdi-xauth
tunnel-group remote type remote-access
tunnel-group remote general-attributes
address-pool Vpn
default-group-policy remote
tunnel-group remote ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e7d1deeafe86c0caffbef7fda584321d
: end
asdm image disk0:/asdm-524.bin
no asdm history enable
10 Replies 10

Allen P Chen
Level 5
Level 5

Hello,

What is the IP address of your internal web server?  Is it 192.168.1.25?  From the outside, what IP address are you accessing in attempt to reach your internal web server?

Please advise.

I believe you need the following added to the config - assuming 192.168.1.25 is the webserver.

object network PatronPage
nat(inside,outside) static interface service tcp 80 80

access-list outside_access_in extended permit tcp any host 192.168.1.25 eq www

-KS

When i tried to add

object network PatronPage
nat(inside,outside) static interface service tcp 80 80

i got an error message

the command

access-list outside_access_in extended permit tcp any host 192.168.1.25 eq www


did go through and the packet tracer now says it is successful.

But when i remote my home pc and try to access the webpage via

http://12.28.106.195/DSIWeb

i get the log veiwer saying TCP access denied by ACL from xx.xx.xxx.143/59282 to outside:12.28.106.195/80

Also just FYI when i am testing the webpage i am changing the gateway of the webserver from 192.168.1.1 to 192.168.1.38 which is the internal ip of the cisco box.

When it is set to 192.168.1.1 the webpage can be access from http://bongardscheese.com/DSIWeb, which is our old firewall we want to replace.

What error did you get? Could you pls. copy and past that error?

Also, what is the reason for this line in the config?

nat (inside,inside) source static any any

can you remove this line and try?

-KS

Result of the command: "object network PatronPage"

The command has been sent to the device


Result of the command: "nat(inside,outside) static interface service tcp 80 80"

nat(inside,outside) static interface service tcp 80 80
   ^
ERROR: % Invalid input detected at '^' marker.

I removed the inside, inside rule.

3    Sep 14 2010    09:44:58    710003    xx.xx.xxx.143    61000    12.28.106.195    80    TCP access denied by ACL from xx.xx.xxx.143/61000 to outside:12.28.106.195/80

My config is now

: Saved
:
ASA Version 8.3(1)
!
hostname ciscoasa
domain-name bongards.com
enable password 1rEyPzDTxdq.gL.M encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 99
ip address 192.168.1.38 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 12.28.106.195 255.255.255.224
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 12
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.1.27
name-server 192.168.1.37
domain-name bongards.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-152.152.152.0
subnet 152.152.152.0 255.255.255.0
object network NETWORK_OBJ_152.152.152.0_24
subnet 152.152.152.0 255.255.255.0
object network A_12.28.106.194
host 12.28.106.194
object network A_12.28.106.196
host 12.28.106.196
object network A_
object network PatronPage
host 192.168.1.25
description Web Server
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network PP
host 12.28.106.195
description PP
access-list vpngrp1_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 152.152.152.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 152.152.152.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip interface inside any
access-list inside_nat0_outbound extended permit ip 152.152.152.0 255.255.255.0 any
access-list inside_access_in extended permit ip 152.152.152.0 255.255.255.0 any
access-list inside_access_in extended permit ip any 152.152.152.0 255.255.255.0
access-list inside_access_in extended permit ip any 30.30.30.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any object PP eq www
access-list outside_access_in extended permit ip 152.152.152.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit ip any 152.152.152.0 255.255.255.0
access-list outside_access_in extended permit tcp interface inside any eq www inactive
access-list outside_access_in extended permit tcp any object PatronPage eq www
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any object PP eq www
access-list outside_access_in extended permit ip any object PP
access-list outside_access_in extended permit tcp any host 192.168.1.25 eq www
access-list outside_nat0_outbound extended permit ip 152.152.152.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpngrp2_splitTunnelAcl standard permit any
access-list global_access extended permit tcp any interface outside eq www
access-list global_access extended permit icmp interface inside interface inside
access-list global_access extended permit tcp object PatronPage any eq www
access-list test extended permit ip any interface outside
access-list test2 standard permit any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool Vpn 152.152.152.1-152.152.152.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-152.152.152.0 obj-152.152.152.0
nat (inside,any) source static any any destination static obj-152.152.152.0 obj-152.152.152.0
nat (inside,outside) source static any any destination static NETWORK_OBJ_152.152.152.0_24 NETWORK_OBJ_152.152.152.0_24
nat (any,inside) source static NETWORK_OBJ_152.152.152.0_24 NETWORK_OBJ_152.152.152.0_24 dns
!
object network PP
nat (outside,inside) dynamic PatronPage
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 12.28.106.193 1
route inside 10.10.10.0 255.255.255.0 192.168.1.1 4
route inside 20.20.20.0 255.255.255.0 192.168.1.1 3
route inside 30.30.30.0 255.255.255.0 30.30.30.1 2
route outside 0.0.0.0 0.0.0.0 192.168.1.38 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
vpn-addr-assign local reuse-delay 180
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.39-192.168.1.254 inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
csd image disk0:/csd_3.4.2048.pkg
csd enable
port-forward RDP 3369 appserver2.bongards.com 3369 RDP
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value inside_nat0_outbound
intercept-dhcp 255.255.255.0 enable
ip-phone-bypass enable
leap-bypass enable
nem enable
webvpn
  svc firewall-rule client-interface public value inside_nat0_outbound
  svc firewall-rule client-interface private value inside_nat0_outbound
group-policy vpngrp2 internal
group-policy vpngrp2 attributes
dns-server value 192.168.1.27 192.168.1.37
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpngrp2_splitTunnelAcl
default-domain value bongards.com
webvpn
  customization value DfltCustomization
group-policy remotevpn internal
group-policy remotevpn attributes
wins-server value 192.168.1.25 192.168.1.37
dns-server value 192.168.1.27 192.168.1.37
vpn-tunnel-protocol IPSec svc
default-domain value bongards.com
group-policy remote internal
group-policy remote attributes
wins-server value 192.168.1.37
dns-server value 192.168.1.37 192.168.1.27
vpn-tunnel-protocol IPSec
default-domain value bongards.com
group-policy CiscoVPN internal
group-policy CiscoVPN attributes
wins-server value 192.168.1.25 192.168.1.37
dns-server value 192.168.1.27 192.168.1.37
vpn-tunnel-protocol IPSec
default-domain value bongards.com
username georgej password 7qWTAlO19tqEYnAV encrypted
username georgej attributes
vpn-group-policy DfltGrpPolicy
webvpn
  url-list value Admin
  customization value DfltCustomization
  sso-server none
username remotevpn password 5C9zA4WCqZXiXFOz encrypted
username Shoplogix password ux7PTSQq6U0mPa19 encrypted
username Shoplogix attributes
service-type remote-access
webvpn
  url-entry disable
  url-list value Shoplogix
  customization value DfltCustomization
username justinr password uXkNnGqn9C7DQcsV encrypted privilege 0
username justinr attributes
vpn-group-policy DfltGrpPolicy
webvpn
  file-browsing enable
  file-entry enable
  hidden-shares none
  url-list value Admin
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group vpngrp2 type remote-access
tunnel-group vpngrp2 general-attributes
address-pool Vpn
default-group-policy vpngrp2
tunnel-group vpngrp2 ipsec-attributes
pre-shared-key *****
tunnel-group CiscoVPN type remote-access
tunnel-group CiscoVPN general-attributes
address-pool Vpn
tunnel-group CiscoVPN ipsec-attributes
pre-shared-key *****
tunnel-group remotevpn type remote-access
tunnel-group remotevpn general-attributes
address-pool Vpn
default-group-policy remotevpn
tunnel-group remotevpn ipsec-attributes
pre-shared-key *****
radius-sdi-xauth
tunnel-group remote type remote-access
tunnel-group remote general-attributes
address-pool Vpn
default-group-policy remote
tunnel-group remote ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:7d0ac7a4d66fe2f247fa83f70aeeecd3
: end
asdm image disk0:/asdm-524.bin
no asdm history enable

There needs to be a space between the nat and the "(".  For example:

nat (inside,outside) static interface service tcp 80 80

Please give that a try.

I will give it a try tomorrow the web server is starting to not play nice with anything.

I would like to make sure that if the cisco config is right it will actually work, hate to find out my config was right but never worked because it was the server.

Finally been able to get back to working on this.

The error i get when trying to add that line to the asa is this

Result of the command: "nat (inside,outside) static interface service tcp 80 80"

nat (inside,outside) static interface service tcp 80 80
                              ^
ERROR: % Invalid input detected at '^' marker.

You need to define the static nat within the object:

object network PatronPage
nat (inside,outside) static interface service tcp 80 80

Please give that a try, thanks.

Wow i got it working, i followed the directions at

http://www.gregledet.net/?p=537

What i had missed was the Advanced Nat Settings, i think thats what the command we where trying to do CLI would have done.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: