08-05-2009 07:57 AM - edited 03-11-2019 09:02 AM
ok, so I have a web server with an internal IP of 10.x.x.x and it has a static NAT to the outside with a public 216.x.x.x address on the ASA - my internal hosts cannot access it via the public address. so I tried to nat it like this
static (inside,inside) 216.x.x.x 10.x.x.x netmask 255.255.255.255
and it did not work
so I did
alias (inside) 216.x.x.x 10.x.x.x 255.255.255.255
and I can ping it from an inside host, but still cannot access http://216.x.x.x - when I ping 216.x.x.x it replies with 10.x.x.x address
if I put http://10.x.x.x it works fine
it is an ASA 5510 Security+ on 8.21
Solved! Go to Solution.
08-05-2009 08:18 AM
same-security-traffic permit intra-interface
static (inside,inside) 216.x.x.x 10.x.x.x netmask 255.255.255.255
global (inside) 1 interface
nat (inside) 1 0 0
08-05-2009 08:18 AM
same-security-traffic permit intra-interface
static (inside,inside) 216.x.x.x 10.x.x.x netmask 255.255.255.255
global (inside) 1 interface
nat (inside) 1 0 0
08-05-2009 09:57 AM
ok, the static command works to replace the alias, I had the same security permit intra and inter interface, changed the inside nat pool from 0 to 1 and it is working I can ping and http
will this affect my outbound identity addresses? like if I have a web filter outside the ASA will it now see all traffic coming from the ASA interface instead of the identity of the client PC?
I wasn't doing any NAT overload on the ASA, there is a router from the ISP doing that from their IP pool. I was just doing identity nat
08-05-2009 10:16 AM
"will this affect my outbound identity addresses?"
-No. Only traffic from inside to inside is affected.
08-05-2009 10:17 AM
I spoke too soon - it broke my internet for inside hosts, I changed it back to nat pool 0 and internet works, but of course now I cant talk to the server
08-05-2009 10:48 AM
Post your nat/global config please.
You should be able to leave your existing nat 0 then add...
nat (inside) 1 0 0
global (inside) 1 interface
08-05-2009 11:25 AM
global (inside) 1 interface
nat (management) 0 0.0.0.0 0.0.0.0
nat (inside) 0 0.0.0.0 0.0.0.0
static (inside,outside) 216.x.x.x 10.17.1.42 netmask 255.255.255.255
static (inside,outside) 216.x.x.x 10.17.1.45 netmask 255.255.255.255
static (inside,outside) 216.x.x.x 10.17.1.43 netmask 255.255.255.255
static (inside,outside) 216.x.x.x 10.17.1.46 netmask 255.255.255.255
static (inside,outside) 216.x.x.x 10.17.1.44 netmask 255.255.255.255
static (inside,outside) 216.x.x.x 10.17.1.33 netmask 255.255.255.255
static (inside,inside) 216.x.x.x 10.17.1.42 netmask 255.255.255.255
if I change to
nat (inside) 1 0 0
I can't get to the internet on any hosts that don't have a static, I don't really want to overload on my outside interface on the ASA because I have a fatpipe for load balancing outside the asa and a web filter.
08-05-2009 08:47 PM
it wont take
nat (inside) 1 0 0
says 'duplicate nat entry'
08-07-2009 08:32 AM
ok so I solved it, just created an access list permitting ip to that server, then natted the pool 1 to that acl, works fine
thanks for all the help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide