cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1684
Views
0
Helpful
4
Replies

asa 5510 cant make PAT

Dmitriy Popov
Level 1
Level 1

according to this document I do port translation through CLI and I have following config:

ciscoasa# show run access-list

access-list local standard permit any

access-list outside_access_in extended permit tcp any object http-155

ciscoasa# show run access-group

access-group outside_access_in in interface inet

ciscoasa# show run nat

!

object network http-155

nat (local,inet) static interface service tcp www 5010

!

nat (local,inet) after-auto source dynamic any interface

ciscoasa#

host 192.168.100.155 has IIS running on itself and it gives plain HTML page

when I try to run packet-tracer from my ASA 5510 I recieve ALLOW on all stages and on Phase: 2  UN-NAT I recieve ALLOW and "

Untranslate A.B.C.D/5010 to 192.168.100.155/80" action (output in attachment)

then I check ports on port scanner it shows "5010 is opened"

BUT in browser I cant recieve HTML page from 192.168.100.155 when I try to achieve http://A.B.C.D:5010

Where is my mistake?

4 Replies 4

Dmitriy Popov
Level 1
Level 1

all trafic from interface local to interface inet walks without problems/ The security level of inet is 0. And of loal is 100. Because of it I haven`t add access rule in direction from local to inet. Is it right?

Hi,

for accessing a publicly natted service from inside by its natted IP address you have to do hairpinning otherwise you can also do dns doctoring by adding the dns keyword to your static PAT config then you access the service by FQDN from inside and the ASA will intercept the DNS reply from external DNS server and rewrite the  public IP obtained to the private address from your static PAT entry.

Here are the links explaining the 2 concepts:

http://blogg.kvistofta.nu/cisco-asa-hairpinning/

http://iptechtalk.wordpress.com/2009/09/04/the-need-for-dns-doctoring-on-asa-methods-and-workarounds/

Don't forget to inspect dns for the dns doctoring solution.

Regards.

Alain

Don't forget to rate helpful posts.

I cant access my service from outside also. I`ve tryed to use different anonymouse services, but without success (

for example from http://anonymizer.nntime.com/)

My access and nat rules dont work

I`ve tryed to access http://A.B.C.D:5010

Hi,

do this:

(config)#access-list cap_inside extended permit tcp any any

(config)#access-list cap_outside extended permit tcp any any

#capture capin interface inside access-list cap_inside

#capture capout interface outside access-list cap_outside

try to access again from outside and  do this and post results

#show capture capin

#show capture capout

Regards.

Alain

Don't forget to rate helpful posts.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: