Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
821
Views
5
Helpful
6
Replies

Static NAT not working

francisco del cura ferreira
Level 1
Level 1

‎10-28-2010 01:12 AM - edited ‎03-11-2019 12:01 PM

Hi all:

I'm trying to configure a static NAT on ASA 5540 (8.2). I want anyone could access to the server through DNS (TCP & UDP).

My config is the next:

static (inside,outside) 1.1.1.1 192.168.209.3 netmask 255.255.255.255

access-list inside extended permit ip any any
access-list inside extended permit icmp any any
access-list outside extended permit icmp any any
access-list outside extended permit tcp any host 1.1.1.1 eq domain
access-list outside extended permit udp any host 1.1.1.1 eq domain

access-group inside in interface diba
access-group outside in interface outside

When I launch a packet-trace simulating a request to the server from internet to the server through TCP domain it seems the implicit rule is dropping the rule. I attach the packet-tracer output. Nat-control is enabled.

Any idea.

Thank so much,

Francisco

Labels:
74293-Packet_Tracer_NAT.txt.zip
0 Helpful
6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

‎10-28-2010 02:06 AM 

fdelcura@satec.es
Hi all:
I'm trying to configure a static NAT on ASA 5540 (8.2). I want anyone could access to the server through DNS (TCP & UDP).
My config is the next:
static (inside,outside) 1.1.1.1 192.168.209.3 netmask 255.255.255.255
access-list inside extended permit ip any any 
access-list inside extended permit icmp any any 
access-list outside extended permit icmp any any 
access-list outside extended permit tcp any host 1.1.1.1 eq domain 
access-list outside extended permit udp any host 1.1.1.1 eq domain
access-group inside in interface diba
access-group outside in interface outside
When I launch a packet-trace simulating a request to the server from internet to the server through TCP domain it seems the implicit rule is dropping the rule. I attach the packet-tracer output. Nat-control is enabled.
Any idea.
Thank so much,
Francisco

Francisco

What is the "diba" interface ? Is that where the 192.168.209.3 server is reached from ?

If so you need your static to be -

static (diba,outside) 1.1.1.1 192.168.209.3 netmask 255.255.255.255

Jon

0 Helpful

francisco del cura ferreira
Level 1
Level 1
In response to Jon Marshall

‎10-28-2010 02:10 AM

Sorry, it was a mistake, diba is inside interface:

access-group inside in interface inside
access-group outside in interface outside

Inside is from the server is allocated.

0 Helpful

Frank Vo
Level 1
Level 1
In response to francisco del cura ferreira

‎10-28-2010 04:19 AM

Hi Francisco,

Can you check to make sure the security levels on the interfaces aren't the same or post a "show nameif" just incase you are suffering from CSCsz50714.

Thx

Frank

0 Helpful

francisco del cura ferreira
Level 1
Level 1
In response to Frank Vo

‎10-28-2010 05:56 AM

Thank you Frank Vo. I'll introduce the command on ASA and I'll tell you the result

0 Helpful

francisco del cura ferreira
Level 1
Level 1
In response to Frank Vo

‎11-02-2010 01:55 AM

Hello

It seems it didn't work. The same problem than before

I don't understand what's the problem, I though this config wasn't difficult!

If anyone has any idea...

Thanks

0 Helpful

francisco del cura ferreira
Level 1
Level 1
In response to francisco del cura ferreira

‎11-02-2010 04:21 AM

Problem fixed. I configured a high security level on inside interface than outside and it works

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card