cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1187
Views
0
Helpful
16
Replies

Proper NAT Config with port number for public IP

dbuckley77
Level 1
Level 1

We have a rule in our firewall to NAT an IP for a system on the inside to the IP address of our outside interface so that users may publicly access the system via a web browse using the outside interface IP with port 8100.  It was working but the  NAT rule got deleted and now I cannot get it to work again.  I amusing the GUI v 8.2

 

To go through the ASA settings for this rule:

 

It's a static NAT rule.

 

Original

Interface = inside

source = hostname with internal IP

 

Translated

Interface = outside

Use interface IP Address is slected

 

Enable PAT is checked

Protocol = TCP

original port = 8100

tanslated port = 8100

 

What do I have wrong?

1 Accepted Solution

Accepted Solutions

I dont remember how the NAT interface on the 8.2 ASDM looks as it has been a while since I have worked on it.  But the commands for 8.2 would be:

static (inside,outside) tcp interface 8100 10.1.1.235 8100 netmask 255.255.255.255

access-list outside-in extended permit tcp any host <outside interface IP> eq 8100

access-group outside-in in interface outside

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

16 Replies 16

burleyman
Level 8
Level 8

Did you create the ACL to allow that traffic?

 

I am a command line guy

 

object network INSIDE_DEVICE_8100
 host 10.1.1.235
 nat (inside,outside) static interface service tcp 8100 8100


access-list outside-in extended permit tcp any object INSIDE_DEVICE_8100 eq 8100

 

Hope this helps.

 

Mike

I dont remember how the NAT interface on the 8.2 ASDM looks as it has been a while since I have worked on it.  But the commands for 8.2 would be:

static (inside,outside) tcp interface 8100 10.1.1.235 8100 netmask 255.255.255.255

access-list outside-in extended permit tcp any host <outside interface IP> eq 8100

access-group outside-in in interface outside

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

I have posted an image below of the NAT rule screen from the asdm 8.2

It should be fairly straightforward but it's not working.

 

 

Sorry I did not catch the 8.2, my post was for newer code.

 

As Marius said run packet tracer and see where it fails.

 

 

Mike

Where do I run PT from?

ASDM under tools than choose packet tracer

Since you recreated the NAT rule it is probably at the bottom of the NAT rule list. Try moving it to the top of the list and see if that works. Or if you recreated the ACL it to could be below a deny rule so I would check that as well.

 

Also when you ran the packet tracer at which step does it fail?

 

Mike
 

I moved the NAT rule to the top and the ACL is not below any deny rules.

 

I'm confused as to how to properly run the Packet trace.  Do I run it on the ACL or NAT rule.  Also what would my zone, source ip/port and dest ip/port be?

So I ran the packet trace on the NAT rule with the inside address and port 10.1100.30.10:80 as the source, the inside interface chosen and the outside IP/port 71.181.12.194:8100 as the destination.

 

It says packet is dropped 7 flow is denied by configured rule.

 

When I checked the rule it is the any any deny implicit rule on the inside interface.

 

 

I got it working.  All I did was delete the NAT rule and re-create it exactly as it had been and it started working.

 

Odd.

Just to check....under translated choose "use IP Address" and put the IP address in there and see if that helps at all. While it should not make a difference but stranger things have happened.

I already tried that but when I did a message popped up saying "this is the ip address of the outside interface please select use interface IP."
 

Below is a screenshot of the packet trace.  Not sure if I did it correctly:

 

CLI text reads:

 

Config
static (inside,outside) tcp interface 8100 Cablecast_Pro 8100 netmask 255.255.255.255
nat-control
match tcp inside host Cablecast_Pro eq 8100 outside any
static translation to 71.181.12.194/8100
translate_hits = 0, untranslate_hits = 31

 

Could you try the packet tracer using a random high source port (12345 for example).

It is not failing on the NAT statement so that should be fine.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: