CISCO ASA 8.3 : Public Servers

Unanswered Question
Sep 27th, 2010


I've a problem with the configuration of ASA 8.3 to publish internal servers on output interface with Public Servers Feature.

In fact I have a pool of public IP adress from my ISP. The first is used by the output interface on ASA. I want to use others IP to join internal server on my LAN.

For example : --> ASA output Interface (WAN) --> Input interface (LAN) -- > ASA --> (Web server HTTP/HTTPS) -- > ASA --> (FTP Server) -- > ASA --> (Remot Desktop 3389)

I've configured the Public Servers feature like that (example for 1 server) :

Private int : inside

Private add :

Private service : RDP (TCP 3389)

Public int : Outside

Public add :

This feature add automatically some rules (Static NAT Rule and Access rule), so I think that the configuration is correct.

BUT it doesn't work. I have no answer from The RDP connection doesn't work and i'ts the same for ping.

Thanks for your help to resolve this issue !!!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jitendriya Athavale Mon, 09/27/2010 - 06:33

could you please paste the config for nat, paste output of command

sh run nat

also check the access-list on the outside, in 8.3 and above when you add an access-list you will need to permit real ip's and not translated ip's

since you have real ip on outside as weel i think you must have done it right but in any case if at all you have used the same ip in order to hide the public ip then please check the access-list as well

anthonymedaglia Mon, 09/27/2010 - 06:52

Thanks for your reply

The acces rule is :

accesss-list outside_access extended permit ip any host  --> It's the good LAN adress

(This rule accept all IP traffic in first time for test)

The NAT configuration is

object network PublicServer_NAT2

nat (inside,outside) static A_195.10.10.4 --> The correct Public adress

I test the config with Packet tracer include into ASDM and the result is great : The packet is allowed.

So i don't understand the issue.

Thanks a lot.

Jitendriya Athavale Mon, 09/27/2010 - 07:23

can you collect some captures, and also if you have other statics are they working fine

check if you have this command

by issueing the command show run all sysopt

no sysopt noproxyarp outside from the server see if you can ping outside (basically check if you can get out when you initiate from inside from this server )

also collect captures on the outside interface and see if you see packets going and coming to firewall for this particular ip

for example

capture capout interface outside match ip host host

anthonymedaglia Mon, 09/27/2010 - 07:51


I don't understand the aim of the show run all sysopt command but the result is :

Result of the command: "show run all sysopt"

no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp inside
no sysopt noproxyarp outside

On Log monitoring I Have no trace about any connection on

I try your suggest about ping on and you alright, the server doesn't ping. In fact is due to the public servers configuration because on log monitorig I see : Built outbound ICMP connection for faddr gaddr laddr (It a ping to google, faddr is google address).

The server try to connect to internet with the public address, it use the Static NAT for Public Server configuration ?

Thanks a lot.

Jitendriya Athavale Mon, 09/27/2010 - 09:04

hi Anthony,

i am not sure if i understood you right, please correct me if i am wrong

you have pinged from outside to, which is on inside

what i wouldl ike you to do is try to ping from to outside and capture the tarffic flow, this will confirm if the static nat is working fine

also on the upstream device check the arp entry for htis ip, see if it is the firewall mac address, if not try hard coding that (this step only if you see poackets leaving and not coming back in your captures)

anthonymedaglia Mon, 09/27/2010 - 09:19

Thank for your replay but I resolved the problem myself.

In fact I manually add a static ARP entry to link my public IP address to the MAC address of my WAN interface.

Now IT Working !!!!


This Discussion