×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

help static nat on ASA5510

Unanswered Question
Aug 26th, 2012
User Badges:

Dear Cisco!

We have network topology                         Inside Netwrok (172.168.1.0/27) --- ASA5510----- Outside network (192.168.10.0/24)

ASA5510 have: Inside interface: 172.168.1.30/27; outside interface: 192.168.10.254

And we config:

# object network obj_inside

# subnet 172.168.1.0 255.255.255.224

# nat (inside,outside) dynamic interface


# object network obj_srv    

# host 172.168.1.1

# nat (inside,outside) static 192.168.10.10 service tcp www www


# access-list outside_in extended permit tcp any host 172.168.1.1 eq 80

# access-group outside_in in interface outside


So, we í in from outside, we can't access web at 192.168.10.10?

Could you please help us config this situation?

Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Julio Carvajal Sun, 08/26/2012 - 21:48
User Badges:
  • Purple, 4500 points or more

Hello Tran,


Do the following:


object network 192.168.10.10

host 192.168.10.10


object service HTTP

service tcp source eq 80


nat (inside,outside) 1 source static obj_srv  192.168.10.10 service HTTP HTTP


Regards,


Rate all the helpful posts


Julio

tran trong nghia Mon, 08/27/2012 - 01:24
User Badges:

Dear Jcarvaja!


We try config same you said.

: Saved

: Written by cisco at 23:51:41.749 UTC Sun Aug 26 2012

!

ASA Version 8.4(2)

!

hostname ASA84

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif inside

security-level 100

ip address 172.168.1.30 255.255.255.224

!

interface Ethernet0/1

nameif outside

security-level 0

ip address 192.168.10.254 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

object network obj_inside

subnet 172.168.1.0 255.255.255.224

object network obj_websrv

host 172.168.1.1

object network obj_websrv_map

host 192.168.10.10

object service HTTP

service tcp source eq www

object service TELNET

service tcp source eq telnet

access-list outside_access_in remark web

access-list outside_access_in extended permit object HTTP any object obj_websrv

access-list outside_access_in remark telnet

access-list outside_access_in extended permit object TELNET any object obj_websrv

access-list outside_in extended permit object TELNET any object obj_websrv_map

pager lines 24

logging asdm informational

mtu management 1500

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static obj_websrv obj_websrv_map service HTTP HTTP

nat (inside,outside) source static obj_websrv obj_websrv_map service TELNET TELNET

!

object network obj_inside

nat (inside,outside) dynamic interface

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username cisco password 3USUcOPFUiMCO4Jk encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:95c89977b58cece71e602943c945c150





and from Pc with address 192.168.10.20, in outside zone we can't access webserver with ip map: 192.168.10.10?

Could you help us check this problem?

Thanks!

Julio Carvajal Mon, 08/27/2012 - 12:57
User Badges:
  • Purple, 4500 points or more

Hello Tran,


The ACL is wrong


Changed to this:


access-list  outside_access_in line 1 permit tcp any host  172.168.1.1 eq 80


Regards,


Julio


Remember to rate all the helpful posts

Actions

This Discussion