Hi Luke

1. Is "dome" the nameif of our public facing interface?

We have 2 network which connected to our Peplink. 1 of them is Dome and we trying to use dome for server purposes only. As for now we have 3 interface inside,wan and dome.

 2. Please give me the private IP of your server, this will help me to write the configuration correctly for you.

my private ip are 1.9.214.61

3. Do you wish to do a 1:1 NAT between the server and outside interface, or essentially just a "port forward" to the server for www traffic?

I wish to do 1on1 nat between the server and outside interface.

4. What version of ASA code are you running? As the NAT command set syntax has changed.

ASA Version 9.1(2)

Thanks.

Hey rleave001,

I believe in that particular version of ASA you are running you complete everything static NAT wise from within the object you create. So without exiting from any shell prompt, please amend the below statements to suit your service needs (as you can see, I've drawn this example up under the assumption that it is a web server) and then copy and paste the commands in as they are.

1. Create: An object group with the internal host defined, static NAT statement, and the access control list permitting the type of traffic the NAT statement is setup for.

object network WebServer1
 host 1.9.214.61
 nat (inside,dome) static interface service tcp 80 80
 access-list WebServer1-Outside-Access-In permit tcp any host 1.9.214.61 eq 80
 exit

2. Tie the newly created access control list to the dome interface ingress.

access-group WebServer1-Outside-Access-In in interface dome

What these commands will acheive is a static NAT between the 1.9.214.61 and the IP address of the dome interface for service port 80. You can add as many different NAT statements with different service ports/protocols in to that object as you wish, just remeber to add them to the access control list too so that they are allowed inbound on the dome interface.

Give that a try and let me know how you get along. I look forward to hearing back.

Thanks,

Luke

Please rate helpful posts and mark correct answers.

Hi Luke

I will try to do ammend the configuration and will let you know if the configuration is correct.

Thanks for the help btw :)

I have tried to configured as you guide lukeoxley  and when im trying to do packet tracer it show as attached.

The server are connecting to our core switch 4506-e

Hi,

As I understand the scenario you want to access the server(dome) from outside (internet). Then try to what's I mentioned in my previous post.

Thanks

rleave001,

No problem, pleased to be of assistance. Strange to be seeing a deny from the access control list. I have a few questions before we can troubleshoot this further for you.

1. Have you tried connecting to the address of the dome interface on port 80 to see if you hit the server? If so, was this successful?

2. In Packet Tracer, to get the results you posted, what are you trying to connect to source, destination and service wise?

3. Does the dome interface have a public IP address?

4. Is the server @ 1.9.214.61 sat behind the inside interface connected to the 4506?

5. What role is the Peplink taking?

6. Is the ASA handling all of the NAT for your organisation? I just want to make sure I'm not missing some of the picture with the Peplink being involved.

If you can answer these we should be able to see what is amiss.

Lastly, just to put ahmedshoaib's mind at ease, can you confirm that dome is a public facing interface and that you want to NAT from inside to dome interface?

Thanks,

Luke

Please rate helpful posts and mark correct answers.

Hi Luke;

I don’t want to argue with you, instead of pointing please understand the issue before giving suggestion. May be 7days old post (rleave001 replay to your post) will help you to understand the issue?

And best of luck to resolve this issue.

Thanks & Best regards;

ahmedshoaib,

I will continue to argue my point as you are misreading and misunderstanding what rleave001 has initially said. You are just confusing things. We are here to help, not confuse.

As I have now said many a time, from my understanding dome is a public facing interface. As rleave001 states "We have 2 network which connected to our Peplink. 1 of them is Dome...". WAN and dome are connected to the Peplink, which then connects to the ISP.

What rleave001 means when they say that dome is only for server purposes is that they only want to NAT servers from internal to the dome interface, not WAN. Leaving all client traffic to be NAT'd to the WAN interface. If we follow your suggestion to NAT from dome to WAN then we are NAT'ing from one public interface to another public interface... which undermines the whole purpose of NAT and will not make this work.

Thank you,

Luke

Please rate helpful posts and mark correct answers.

Hi;

To configure the NAT on ASA firewall, so outside world can access your server in DMZ (dome) area.

Step 1: Create a network object for the Dome Server:

hostname(config)# object network Dome_SRV1

Step 2: Define the server address:

hostname(config-network-object)# host 1.9.214.61

Step 3: Configure static NAT for the object:

hostname(config-network-object)# nat (dome,wan) static X.X.X.X (Public IP address).

Once nat is configured properly then you need to allow the traffic on you WAN interface:

access-list outside_access_in extended permit tcp any object Dome_SRV1 eq www

access-group outside_access_in in interface wan

Thanks & Best regards.

ahmedshoaib,

I don't believe your configuration is correct - your NAT statement is NAT'ing from "dome" to "wan", from the initial explanation I believe we need to translate to the IP address on the "dome" interface rather than the other way around...

rleave001  - Please continue with trying my configuration example first.

Thanks,

Luke

Please rate helpful posts and mark correct answers.

Hi Luke;

Please review the requirement; 

Point #1 - we have 3 interface inside,wan and dome.

Point #2 - 1 of them is Dome and we trying to use dome for server purposes only.

Point #3 - To do 1on1 nat between the server and outside interface.

Now which configure is reflecting the requirement.

Thanks & Best regards;

ahmedshoaib,

No, you are incorrect. As per rleave001's first post, they already tried the NAT statement "nat (inside,dome) static 1.x.xxx.xx.x (public ip)", which would suggest that they want to NAT from inside TO dome.

Dome is a public facing interface as it is connected to the Peplink. They wish to NAT to this interface from the inside. So, as per my last post, your configuration is still incorrect.

rleave001 - Please continue with my configuration example as discussed.

Regards,

Luke

Please rate helpful posts and mark correct answers.