ASA 5505 (8.3+): Problems getting internal server NAT'd properly
I have an internal VOIP voicemail/presence server I want accessible from outside my internal network. Connecting internally works great, but when a user tries connecting from outside, there's no availability. When I try to use NAT, the voicemail-to-email service can't reach our cloud email service.
We have a /28 public IP address range. The ASA is our external device, the WAN side is .220, with our ISP's gateway set at .222. I've tried NATting the server to a .217 address, but that's when things go wrong.
With the current config, our VM-to-email works. Here's some snippets of my config:
It seems to me that it's a NAT issue, but I could be wrong. If I try adding a static route for the public address for the server, the VM-to-email stops working. And, the presence server still doesn't work externally.
If I have not missunderstood anything then it would seem to me that you simply want to configure a Static NAT for your internal server? I would also presume that every "nat" command EXCEPT for the "dynamic" one is new ones which you have tried to use to get the server NAT working?
The configuration format of those "nat" command is not valid for your situation. What you are actually telling the device to do in those configurations is that the VMSERVER IP address should NOT be NATed when the destination IP address is OUTSIDE. As the same "object" is listed twice it means no NAT is performed. You only configure the "destination" parameters in a "nat" command when you want to configure a Policy NAT that only applies with certain source/destination subnet/host combinations. The "destination" parameters are also used to do NAT for the destination IP address also in addition to the source address.
If you simply want to configure Static NAT then you could use this simple configuration
The above configuration is what we call Auto NAT or Network Object NAT. The information related to the NAT is located under the "object" configuration. Much like your current Dynamic PAT configuratin for LAN users.
After you have configured the above Static NAT with the correct IP addresses you can then configure the ACL rules to allow connections on the ports required and from the required source addresses.
For example you could allow TCP/80 with the following rule in your current ACL
access-list INBOUND permit tcp any object SERVER eq 80
Let me know if I understood your requirements wrong.
Thanks for your reply, Jouni. I recently read your post on ASA NAT 8.3+. It was very interesting, but I have some difficulty grasping distinctions between types.
I tried the configuration you recommended, though it did not resolve my problem. I will upload the entire configuration - there may be something else preventing access to the server. I have confirmed that the ports I need open are open on the internal network. They just don't seem to be available from outside.
Phase: 10 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 856605, packet dispatched to next module Module information for forward flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_tcp_normalizer snp_fp_translate snp_fp_adjacency snp_fp_fragment snp_ifc_stat
Module information for reverse flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_translate snp_fp_tcp_normalizer snp_fp_adjacency snp_fp_fragment snp_ifc_stat
Result: input-interface: outside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: allow
Actually using a browser and port 8080, no access...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...