08-02-2011 11:22 PM - edited 03-11-2019 02:06 PM
I tried the solution posted at https://supportforums.cisco.com/message/3390056#3390056 however it did not work on my ASA5505 8.4(2). I thought that it may be because I only have a single public address so the web server is responding to port forwarding through the one public IP already. looking in ASDM it appears to indicate that a configured access list is blocking the server from responding to the internal hosts.
object network Private_IP
host 192.168.1.15
object network Public_IP
host 1.1.1.1
object-group network internal_net
network-object 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit tcp any host 192.168.1.15 eq www
nat (inside,inside) source dynamic internal_net interface destination static Public_IP Private_IP
object network obj_any
nat (inside,outside) dynamic interface
object network Private_IP
nat (inside,outside) static interface service tcp www www
access-group outside_access_in in interface outside
Can I fix an access list (or something) to make this work or am I wishing for too much with only one public IP? This worked by default on my Netgear firewall.
Thanks,
08-02-2011 11:30 PM
Hi Joe,
You woudl also need the command;
same-security-traffic permit intra-interface
Could you also provide an output of show run from your firewall.
Thanks,
Varun
08-03-2011 07:27 AM
Rao,
Thanks much. That did fix the problem for internal host however it cut off the external too. I can play with the internal range and try to see if that fixes it. I could post the full sh run but it takes some time to change all the sensitive stuff - maybe this evening if I still don't have it working.
Thanks,
Joe
08-03-2011 08:37 AM
Sure Joe, let me know if you get stuck anywhere, or else you can just provide me these outputs:
show run nat
show run access-list
show run access-group
show run same
This would be enuf.
Thanks,
Varun
08-03-2011 06:28 PM
Varun,
It worked like a champ this time and this is what I did basically:
object network Private_IP
host 192.168.1.15
object network Public_IP
host 1.1.1.1
object network dhcp_range
range 192.168.1.1 192.168.1.32
access-list outside_access_in extended permit tcp any host 192.168.1.15 eq www
nat (inside,inside) source dynamic dhcp_range interface destination static Public_IP Private_IP
same-security-traffic permit intra-interface
object network obj_any
nat (inside,outside) dynamic interface
Thanks for all your help. Now I will pursue getting it to do DNS resolution so that the Public_IP can be a fqdn instead of the DHCP address from my ISP, then ssh to manage it and IPv6.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide