Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

5505 w/8.3 Can't pass inbound traffic on PAT

AT my wits end with the new 8.3.  I've spent way too much time trying to get this simple simple thing to work.  I have one IP on the outside interface, and when i try to access the web server in the config it doesn't allow it and the ASA shows its denying the traffic due to the ACL.  What am I missing here!?!?!?

hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 100.100.100.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 208.97.79.XXX 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 2
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa832-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-net
subnet 100.100.100.0 255.255.255.0
object network Exchange
host 100.100.100.14
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
access-list outside_access_in extended permit tcp any object Exchange object-group DM_INLINE_TCP_1 log alerts
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634-53.bin
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
object network inside-net
nat (inside,outside) dynamic interface
object network Exchange
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 208.97.79.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 100.100.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 100.100.100.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
!
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:6779fa704be8c8ce3392624c9a008b9e
: end
asdm image disk0:/asdm-634-53.bin
no asdm history enable

5 REPLIES

Re: 5505 w/8.3 Can't pass inbound traffic on PAT

Hi,

To allow inbound traffic you require a static NAT, it seems you only have dynamic NAT defined.

object network obj-x.x.x.x

   host x.x.x.x

   nat (inside,outside) static 209.165.201.15

Where x.x.x.x is the real IP of the server.

Also, the ACL applied to the outside interface should permit the inbound web traffic to the real IP of the server.

Federico.

Cisco Employee

Re: 5505 w/8.3 Can't pass inbound traffic on PAT

Hello,

Very important to Add, if you are using the Interface, there is a known bug, so you may want to put the regular PAT with the after auto keyword.

Cheers.

Mike

Mike
Community Member

Re: 5505 w/8.3 Can't pass inbound traffic on PAT

I figured it out.  I had to watch a video for quite some time to get and example.  Hard to reason why this isn't an example anywhere.  I think with the big NAT changes in 8.3 I thought they'd have posted a whack of update examples?  Oh well,

nat (inside,outside) static interface service tcp www www     is the way to use the interface's IP for port forwarding.

Cisco Employee

Re: 5505 w/8.3 Can't pass inbound traffic on PAT

Hello Adrian,

Here is the Document that you were looking for, you can use it for future reference.

https://supportforums.cisco.com/docs/DOC-9129

I am glad that everything is working, would you please mark this question as resolved so other people can use it as reference?

Cheers.

Mike

Mike
Community Member

Re: 5505 w/8.3 Can't pass inbound traffic on PAT

I don't have the ability to mark my own answer as correct to I guess it stays unresolved.

279
Views
0
Helpful
5
Replies
CreatePlease to create content