cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
408
Views
0
Helpful
5
Replies

ASA 9.1 NAT rule issues

Inside I have one server - running two application one is on port number 80 and another is on port 83.

when outside customer accessing the application on port 80 then the web address displaying the natted public ip like http://230.0.115.15:80....

when accessing application on port 83 it is displaying actual ip (private ip ).like http://10.30.49.52:83...

both the application are running well and good but we want to hide our private ip - when accessing my second application.

-------------------------------------------------------------------------------------------------------------------

Configured..

Port Redirection (Forwarding) with static, command as below

nat (inside,outside) static 203.0.115.15 net-to-net service tcp www www

Be thankful for your early response and help.

Regards,

Laxman.

5 Replies 5

Rahul Govindan
VIP Alumni
VIP Alumni

What you have is a rule for www (port 80) alone. Do you have a rule for port 83 also? Where does the application display the actual ip address?

If you do not have a rule already, create a similar rule for 83 and you should be good. Follow the steps given in this doc to create a port forwarding rule:

http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/118996-config-asa-00.html#anc10

Hi Rahul,

Thanks for your early response,

When the customer is accessing from external-outside to inside.

I have done the same thing for port 83 also but in logs I am getting asymmetric nat rule error.

I am not entirely sure I understand exaclty what your issue is, but I will answer it as I see it and then we can take it from there.

Your NAT rule looks to be wrong.  You are indicating that the ingress interface is inside and that the source address entering the inside interface is 203.0.115.15. I am assuming that this is the public IP and that you have a private address range assigned to the host?

nat (inside,outside) static 203.0.115.15 net-to-net service tcp www www

If my assumption is correct then your NAT rule should look like this:

nat (inside,outside) static net-to-net 203.0.115.15 service tcp www www

If I have misunderstood, then please explain in more detail what the issue is and post a full running configuration (sanitized).

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

pius.oshinuga
Level 1
Level 1

Dear All,

I am in the process of upgrading from a pix505e firewall to an asa5505 (ASA Version 9.1(7)7). I am able to access web server from internet on the pix but after running the following command:

interface Ethernet0/0

switchport access vlan 10

!

interface Ethernet0/1

switchport access vlan 100

interface Vlan10

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan100

nameif inside

security-level 100

ip address 192.168.1.254 255.255.255.0

!             

object network web_server

host 192.168.1.10

nat (inside,outside) static interface service tcp www www

access-list outside_in extended permit tcp any host192.168.1.10 eq www

access-group outside_in in interface outside

You might as why I am not using dmz, well I am in the process of migrating the servers to the dmz. However, in the meantime the server is in the inside nameif and I need access to the internal web server.

My issue is that the web server cannot be accessed from the outside. I have to revert to using the pix for user to be able to access the webserver for now until this issue is resolved...

Thank you for your quick response

 

Dear All,

I have finally figured out what the issue was. I forgot to change the default gateway of the web server to the new ASA firewall.

Thank you

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: