Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

help static nat on ASA5510

Dear Cisco!

We have network topology                         Inside Netwrok (172.168.1.0/27) --- ASA5510----- Outside network (192.168.10.0/24)

ASA5510 have: Inside interface: 172.168.1.30/27; outside interface: 192.168.10.254

And we config:

# object network obj_inside

# subnet 172.168.1.0 255.255.255.224

# nat (inside,outside) dynamic interface

# object network obj_srv    

# host 172.168.1.1

# nat (inside,outside) static 192.168.10.10 service tcp www www

# access-list outside_in extended permit tcp any host 172.168.1.1 eq 80

# access-group outside_in in interface outside

So, we í in from outside, we can't access web at 192.168.10.10?

Could you please help us config this situation?

Thanks!

Everyone's tags (4)
3 REPLIES

help static nat on ASA5510

Hello Tran,

Do the following:

object network 192.168.10.10

host 192.168.10.10

object service HTTP

service tcp source eq 80

nat (inside,outside) 1 source static obj_srv  192.168.10.10 service HTTP HTTP

Regards,

Rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

help static nat on ASA5510

Dear Jcarvaja!

We try config same you said.

: Saved

: Written by cisco at 23:51:41.749 UTC Sun Aug 26 2012

!

ASA Version 8.4(2)

!

hostname ASA84

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif inside

security-level 100

ip address 172.168.1.30 255.255.255.224

!

interface Ethernet0/1

nameif outside

security-level 0

ip address 192.168.10.254 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

object network obj_inside

subnet 172.168.1.0 255.255.255.224

object network obj_websrv

host 172.168.1.1

object network obj_websrv_map

host 192.168.10.10

object service HTTP

service tcp source eq www

object service TELNET

service tcp source eq telnet

access-list outside_access_in remark web

access-list outside_access_in extended permit object HTTP any object obj_websrv

access-list outside_access_in remark telnet

access-list outside_access_in extended permit object TELNET any object obj_websrv

access-list outside_in extended permit object TELNET any object obj_websrv_map

pager lines 24

logging asdm informational

mtu management 1500

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static obj_websrv obj_websrv_map service HTTP HTTP

nat (inside,outside) source static obj_websrv obj_websrv_map service TELNET TELNET

!

object network obj_inside

nat (inside,outside) dynamic interface

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username cisco password 3USUcOPFUiMCO4Jk encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:95c89977b58cece71e602943c945c150

and from Pc with address 192.168.10.20, in outside zone we can't access webserver with ip map: 192.168.10.10?

Could you help us check this problem?

Thanks!

help static nat on ASA5510

Hello Tran,

The ACL is wrong

Changed to this:

access-list  outside_access_in line 1 permit tcp any host  172.168.1.1 eq 80

Regards,

Julio

Remember to rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
567
Views
0
Helpful
3
Replies
CreatePlease to create content