Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

one-to-one NAT problems ASA5505

Hello everyone

I am having some problems trying to set up a simple one-to-one NAT between a public IP and a DMZ server. I've spent a number of hours staring at this problem and I'm hoping one of you can spot whatever I have missed.

The ASA has 4 interfaces. Inside, Outside, DMZ and Guest. NAT wont work with the Outside interface for some reason. When choosing (DMZ, Inside) it works perfectly fine.

The inside host is running static IP 192.168.50.200 with subnet 255.255.255.0 and gateway 192.168.50.1.

The one im having problems with is has the object name of DMZ_Test

The Config:

!

interface Vlan1

nameif inside

security-level 100

ip address 10.95.80.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 212.116.83.142 255.255.255.128

!

interface Vlan5

nameif dmz

security-level 50

ip address 192.168.50.1 255.255.255.0

!

interface Vlan15

nameif Guests

security-level 25

ip address 172.16.0.1 255.255.255.0

same-security-traffic permit intra-interface

object network HexMet-mail

host 10.136.0.20

description IP mappning mellan ext - int addr 

object network ftp_hexmet_39

host 192.168.50.39

description Ftp hexmet se 

object network web_ftp_34

host 192.168.50.34

object network web_ftp_35

host 192.168.50.35

object network web_ftp_36

host 192.168.50.36

object network web_ftp_37

host 192.168.50.37

object network web_info_38

host 192.168.50.38

description Info webb on Etunawebb 

object network VC

host 10.95.80.31

description Videokonferans 

object network 172-net

subnet 172.16.0.0 255.240.0.0

object network 192-net

subnet 192.168.0.0 255.255.0.0

object network Guest-net

subnet 172.16.0.0 255.255.255.0

object service udp8000

service udp destination eq 8000

object network dmz-net

subnet 192.168.50.0 255.255.255.0

object network DMZ_Test

host 192.168.50.200

description test

object-group service DM_INLINE_TCP_1 tcp

port-object eq ftp

port-object eq www

object-group service DM_INLINE_TCP_2 tcp

port-object eq ftp

port-object eq www

object-group service DM_INLINE_TCP_3 tcp

port-object eq ftp

port-object eq www

object-group service DM_INLINE_TCP_4 tcp

port-object eq ftp

port-object eq www

object-group network DM_INLINE_NETWORK_1

network-object 10.95.80.0 255.255.255.0

network-object 192.168.50.0 255.255.255.0

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object udp

protocol-object tcp

object-group network all_private-net

network-object object HM-Supernet

network-object object 172-net

network-object object 192-net

object-group service 1718-1720 tcp-udp

description För VC-konferensanläggning

port-object range 1718 1720

object-group service DM_INLINE_SERVICE_2

service-object tcp

service-object tcp destination eq ftp

object-group service 30000_30039 tcp-udp

description För VC-konferensanläggning

port-object range 30000 30039

object-group service DM_INLINE_TCPUDP_1 tcp-udp

group-object 1718-1720

group-object 30000_30039

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service VCManagement tcp-udp

port-object eq 3601

port-object eq www

port-object eq 443

access-list outside_access_in extended permit icmp any4 any4 echo-reply

access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any4 object VC object-group DM_INLINE_TCPUDP_1

access-list outside_access_in extended permit tcp any4 object web_ftp_34 object-group DM_INLINE_TCP_2

access-list outside_access_in extended permit tcp any4 object web_ftp_35 object-group DM_INLINE_TCP_3

access-list outside_access_in extended permit tcp any4 object web_ftp_36 object-group DM_INLINE_TCP_4

access-list outside_access_in extended permit tcp any4 object web_ftp_37 object-group DM_INLINE_TCP_1

access-list outside_access_in extended permit tcp any4 object web_info_38 eq www

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any4 object ftp_hexmet_39

access-list outside_access_in extended permit ip host 213.174.82.53 10.95.80.0 255.255.255.0

access-list outside_access_in extended permit ip any object DMZ_Test

access-list inside_access_in extended permit icmp any4 any4 echo-reply inactive

access-list inside_access_in extended permit ip 10.95.80.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list inside_access_in extended permit ip 10.95.80.0 255.255.255.0 object-group VPN_SITE_TO_SITE

access-list inside_access_in extended permit ip 10.95.80.0 255.255.255.0 any4

access-list inside_access_in extended permit ip object VPN_STAFF object HM_Gothenburg

access-list inside_access_in remark For Hitcount

access-list inside_access_in extended deny ip any4 any4

access-list dmz_access_in extended permit ip 192.168.50.0 255.255.255.0 any4

access-list Guests_access_in extended deny ip 172.16.0.0 255.255.255.0 object-group all_private-net

access-list Guests_access_in extended permit ip any4 any4

!

object network HexMet-mail

nat (any,any) static 212.116.83.153

object network ftp_hexmet_39

nat (dmz,outside) static 212.116.83.176

object network web_ftp_34

nat (dmz,outside) static 212.116.83.173

object network web_ftp_35

nat (dmz,outside) static 212.116.83.174

object network web_ftp_36

nat (any,any) static 212.116.83.155

object network web_ftp_37

nat (any,any) static 212.116.83.154

object network web_info_38

nat (dmz,outside) static 212.116.83.162

object network VC

nat (any,any) static 212.116.83.178

object network DMZ_Test

nat (dmz,outside) static 212.116.83.180

!

nat (inside,outside) after-auto source dynamic any interface

nat (Guests,outside) after-auto source dynamic Guest-net interface

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group dmz_access_in in interface dmz

access-group Guests_access_in in interface Guests

!

All suggestions are most welcome.

Best Regards

3 REPLIES

one-to-one NAT problems ASA5505

Hi Peter,

Did you solve this problem? I tried your config witch GNS and it seem OK to me.

Did you try packet-tracer feature on your ASA?

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions
New Member

one-to-one NAT problems ASA5505

Hello

I've looked into the issue some more during the weekend. The config seems to be correct, the real problem is when I try to do changes in an existing NAT, or use public IPs that has previosly been natted.

I redid the NAT using another public IP that has never been natted before and that worked with the same host and internal IP, but now I cant use the 212.116.83.180 on a new NAT.

It's almost like the external IPs gets locked up somehow and are unusable even after the original NAT is removed.

Another funny thing is that packet-trace doesnt produce any errors, even though the NAT isnt working properly.

So I'm not sure what the real problem is, if this is a bug in the OS or if theres a need to somehow clear the config even though the NATs are removed.

Best Regards

one-to-one NAT problems ASA5505

Hi Peter,

I would suggest to move this thread to firewall section. There are guys who work with these type of problems on daily basis and surely someone will help you.

My knowledge of ASA is not deep enough to give to any better advice.

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions
464
Views
0
Helpful
3
Replies
CreatePlease login to create content