yes before I tried that one but it also didn't work somehow and I don't know why

i think there is something missing on my nat command or maybe the access-list but don't kow
now my access-list is

access-list web_server extended permit tcp any host x.x.x.93 eq www log

access-list web_server deny ip any any log

access-group web_server in interface outside

static (inside,outside) x.x.x.93 10.0.246.5
I used one of my free public ip to nat on the public web server
via show access-list it shows that and monitoring the logs
it seems that it built a tcp connection but still I can't access the web server on my browser
via show nat it shows that it is not translated

Hi Earlge,

As it is - your last post - both access-list applied on outside and static nat are ok.

Does your web server has as a gateway the ASA ? Is it a Windows  , a Linux , or what OS does it have ?

Later edit : can you post show xlate

Dan

so my last post you mean is ok enough?
it means its already ok??
my webserver os is redhat linux
hmm gateway to asa wait when i issued route
ow i see when i vi /etc/sysconfig/network
it shows that the gateway=10.0.246.13 and it must be 10.0.246.12 right?
let me try once more
show xlate

show xlate details

Nat from inside: 10.0.246.5 to outside: X.X.X.93 flags s

by the way instead i use x.x.x.92 the interface ip of outside i used one of the free ip x.x.x.93

Post

route -n

Yes it must be 10.0.246.12

Dan

now i fixed the servers gateway but still it not work
i don't know why seeing the logs it alow the tcp connection of the outside going to inside port 80
how ever still when i issued show nat
it doesn't show translate hits always untraslated wait let me post my command here running config for the moment

ASA Version 8.2(5)

!

hostname XXXXXXX

domain-name XXXXXXXXXX

enable password XXXXXXXX. encrypted

passwd XXXXXXXX. encrypted

names

!

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 10.0.246.12 255.255.255.240

ospf cost 10

!

interface GigabitEthernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

description LAN/STATE Failover Interface

!

interface GigabitEthernet0/3

nameif outside

security-level 0

ip address X.X.X.92 255.255.255.248

ospf cost 10

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

ospf cost 10

management-only

!

ftp mode passive

clock timezone PHST 8

dns server-group DefaultDNS

domain-name XXXXXXXX

access-list web_http extended permit tcp any host X.X.X.93 eq www log

access-list web_http extended deny ip any any log

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

logging host inside 10.0.246.6

logging host inside 10.0.246.5

logging permit-hostdown

mtu inside 1500

mtu outside 1500

mtu management 1500

ip verify reverse-path interface outside

failover

failover lan unit primary

failover lan interface failoverif GigabitEthernet0/2

failover key *****

failover link failoverif GigabitEthernet0/2

failover interface ip failoverif 192.168.2.1 255.255.255.252 standby 192.168.2.2

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no nat-control

static (inside,outside) X.X.X.93 10.0.246.5 netmask 255.255.255.255

access-group web_http in interface outside

route outside 0.0.0.0 0.0.0.0 X.X.X.89 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 0.0.0.0 inside

telnet 192.168.1.0 255.255.255.0 management

telnet 0.0.0.0 0.0.0.0 management

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 10.0.246.6 source inside

ntp server 10.0.246.5 source inside

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:6f0b30e7b433d1812c28623d218cc552

: end

First when you used the interface IP as nat the problem was :  http server enable. So if you want to use the interface IP you will have to disable the http server or change the ASA's http port.

Sencond add on your configuration :

policy-map global_policy

class inspection_default

inspect http

In order to see the translations active you will have to use "show xlate".

Try again, please.

Regards

Dan

as of now I didn't use the interface ip but instead I used one of the public ip which is free on its subnet
interface ip is x.x.x.92 but i use instead x.x.x.93 then I already added the policy but still don't work

Earlge ,

You policy does not inspect http. Did you add that ?

Dan

yes I already add the inspect http sir but still there is a problem

do I still need to turn of the http server? and based on the show access-list and logs
it shows that it allows the tcp connection from the outside going to the inside however
in show nat
translate_hits=0 so it means translation is not working?

No you do not have to turn off http server.

Also post "route -n" from the server. If you only modified the "network" file, the changes didn't commit.

The hits , in order to access the server , should be in untranslate_hits.

Dan

I don't get it you mean it is ok
if my show nat result

was hitting the untranslate_hits?
and yes 10.0.246.0 network gw is 10.0.246.12 already is there something wrong with my config now? or missing? I already added the inspect http

If you have untranslate hits on show nat , it ok one way.

Please post route -n , from your server , also netstat -nlt

Dan