10-28-2010 01:12 AM - edited 03-11-2019 12:01 PM
Hi all:
I'm trying to configure a static NAT on ASA 5540 (8.2). I want anyone could access to the server through DNS (TCP & UDP).
My config is the next:
static (inside,outside) 1.1.1.1 192.168.209.3 netmask 255.255.255.255
access-list inside extended permit ip any any
access-list inside extended permit icmp any any
access-list outside extended permit icmp any any
access-list outside extended permit tcp any host 1.1.1.1 eq domain
access-list outside extended permit udp any host 1.1.1.1 eq domain
access-group inside in interface diba
access-group outside in interface outside
When I launch a packet-trace simulating a request to the server from internet to the server through TCP domain it seems the implicit rule is dropping the rule. I attach the packet-tracer output. Nat-control is enabled.
Any idea.
Thank so much,
Francisco
10-28-2010 02:06 AM
Hi all:
I'm trying to configure a static NAT on ASA 5540 (8.2). I want anyone could access to the server through DNS (TCP & UDP).
My config is the next:
static (inside,outside) 1.1.1.1 192.168.209.3 netmask 255.255.255.255
access-list inside extended permit ip any any
access-list inside extended permit icmp any any
access-list outside extended permit icmp any any
access-list outside extended permit tcp any host 1.1.1.1 eq domain
access-list outside extended permit udp any host 1.1.1.1 eq domainaccess-group inside in interface diba
access-group outside in interface outsideWhen I launch a packet-trace simulating a request to the server from internet to the server through TCP domain it seems the implicit rule is dropping the rule. I attach the packet-tracer output. Nat-control is enabled.
Any idea.
Thank so much,
Francisco
Francisco
What is the "diba" interface ? Is that where the 192.168.209.3 server is reached from ?
If so you need your static to be -
static (diba,outside) 1.1.1.1 192.168.209.3 netmask 255.255.255.255
Jon
10-28-2010 02:10 AM
Sorry, it was a mistake, diba is inside interface:
access-group inside in interface inside
access-group outside in interface outside
Inside is from the server is allocated.
10-28-2010 04:19 AM
Hi Francisco,
Can you check to make sure the security levels on the interfaces aren't the same or post a "show nameif" just incase you are suffering from CSCsz50714.
Thx
Frank
10-28-2010 05:56 AM
Thank you Frank Vo. I'll introduce the command on ASA and I'll tell you the result
11-02-2010 01:55 AM
Hello
It seems it didn't work. The same problem than before
I don't understand what's the problem, I though this config wasn't difficult!
If anyone has any idea...
Thanks
11-02-2010 04:21 AM
Problem fixed. I configured a high security level on inside interface than outside and it works
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide