Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Help with IIS PAT for ASA5510

Ok I am pretty new to CISCO configuration. We recently bought an ASA so that we can secure an IIS server behind it. The IIS Server will be doing http and https. I guess I want to do a static nat to nat the outside fixed IP of the website to an internal address. (I think in CISCO terms it's called a PAT) I am just looking for someone to tell me if I configured it correctly? I think I am very close. The thing I think is wrong is for somereason the global (exernal) and nat (internal) for some reason are labeled 101? Should that be changed to something different? Any help you would provide would be sorely appreciated from a newbie like me. I think I am close, but only a trained eye could tell me how close.

Thanks in advance!

ASA Version 8.2(5)
hostname ciscoasa

interface Ethernet0/0
nameif External
security-level 0
ip address (External WEBSITE FIXEDIP)
interface Ethernet0/1
nameif Internal
security-level 100
interface Ethernet0/2
no nameif
no security-level
no ip address
interface Ethernet0/3
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address
ftp mode passive
access-list External_access_in extended permit tcp any host (EXTERNAL FIXED IP) eq www
access-list External_access_in extended permit tcp any host (EXTERNAL FIXED IP) eq https
pager lines 24
logging asdm informational
mtu management 1500
mtu External 1500
mtu Internal 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (External) 101 interface
nat (Internal) 101
static (Internal,External) tcp interface www (INTERNAL IIS SERVER IP) www netmask
static (Internal,External) tcp interface (INTERNAL IIS SERVER IP) https netmask
access-group External_access_in in interface External
route External (EXTERNAL GATWAY IP OF ISP) 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
service-policy global_policy global
prompt hostname context

Super Bronze

Re: Help with IIS PAT for ASA5510


The "global" and "nat" configuration simply match the source addresses/subnets for the Dynamic NAT or PAT. The ID number used there doesnt really matter in your case.

The type of NAT you ha ve done for the server is called Static PAT

The configuration is otherwise fine but your missing the "https" after the "interface" parameter.

Are you saying that connections from the External network aren't working?

Naturally with HTTPS the problem might be that the ASA uses that port for ASDM GUI management connections. If you want to change the default port of ASDM Management connections you can use the command

http server enable

This should leave the port TCP/443 usable for other purposes on your "External" interface. Though I have to say that I am not sure is there any overlap at the moment. You have not enabled any ASDM management on the "External" interface.

You can also use the "packet-tracer" command to simulate a packet incoming from the External network towards your public IP address on certain port. This will usually tell you if the configurations on the ASA are OK and if the traffic/connections is allowed.

You could use for example

packet-tracer input External tcp 12345 80

packet-tracer input External tcp 12345 443

Hope this helps

- Jouni

New Member

Help with IIS PAT for ASA5510

I haven't rolled it out as of yet, I am just trying to see if I got it configured correctly? I am hoping to roll it out and not have to fiddle with it.(as that I really don't have the expertise.)

where do I need the "https" after the "interface" ?

I really don't want any management enabled on my external interface. (only internal and management port mgt access.) Thus I didn't enable on the external port? Will this conflict with my planned configuration?

Thanks for your help!

Super Bronze

Re: Help with IIS PAT for ASA5510


I only meant that you have a typo in the other Static PAT configurations.

This is the above configuration

static (Internal,External) tcp interface www (INTERNAL IIS SERVER IP) www netmask

static (Internal,External) tcp interface (INTERNAL IIS SERVER IP) https netmask

The Static PAT for the port TCP/443 is lacking the "https" after the "interface" parameter. But as the ASA would not accept the command in its current form I am sure you would notice it eventually.

static (Internal,External) tcp interface https (INTERNAL IIS SERVER IP) https netmask

In general the configuration seems ok to me and should work.

  • Interfaces configured and enabled
  • Default route configured
  • Dynamic PAT and Static PAT configured for Internal users
  • Access-list configured and attached to the External interface

- Jouni

CreatePlease to create content