08-13-2015 09:09 PM - edited 03-11-2019 11:25 PM
Dear all,
My English is'n good . I have trouble with static nat on asa run version 9.1.
This is my configuration file
interface GigabitEthernet1/1
nameif outside
des # Connect to router of ISP #
security-level 0
ip address 222.255.23.166 255.255.255.252
!interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 199.1.10.33 255.255.255.224
!
route outside 0.0.0.0 0.0.0.0 222.255.23.165 1
!
object network NASU_DMZ
sub 199.1.10.32 255.255.255.224
objecdt network NASU_ISA
host 199.1.10.62
objecdt network NASU_ISA_PUB
host 222.255.20.186
!
nat (dmz,outside) after-auto source dynamic NASU_DMZ interface
nat (dmz,outside) source static NASU_ISA NASU_ISA_PUB (static nat)
Case1 : if I use alc " access-list Outside_policy_in extendend permit ip any any " ,
access-group Outside_policy_in in interface outside
Result: Static nat on ASA will be worked correct
Case 2 : If I use acl " access-list Outside_policy_in extendend permit tcp any host 222.255.20.186 eq 443
access-list Outside_policy_in extendend permit tcp any host 222.255.20.186 eq 80
access-group Outside_policy_in in interface outside
Result: Static nat on ASA will be worked incorrect. I can't use all service include 443 and 80 .
Can you help me solve this problem ?
Thank you very much!
Solved! Go to Solution.
08-14-2015 01:22 AM
In the ACL you have to use the real server IP-address:
access-list Outside_policy_in extendend permit tcp any object NASU_ISA eq 443 access-list Outside_policy_in extendend permit tcp any object NASU_ISA eq 80
08-14-2015 01:22 AM
In the ACL you have to use the real server IP-address:
access-list Outside_policy_in extendend permit tcp any object NASU_ISA eq 443 access-list Outside_policy_in extendend permit tcp any object NASU_ISA eq 80
08-14-2015 11:18 AM
Thank for your support !
So, can you explain for me? All document show me that have to use IP map with static nat on asa.
08-14-2015 12:11 PM
The translated address was used in the ACL in ASA versions up to 8.2. With the new NAT-model it changed that the real IP has to be used.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: