Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Static NAT not working

Hi all:

I'm trying to configure a static NAT on ASA 5540 (8.2). I want anyone could access to the server through DNS (TCP & UDP).

My config is the next:

static (inside,outside) 1.1.1.1 192.168.209.3 netmask 255.255.255.255

access-list inside extended permit ip any any
access-list inside extended permit icmp any any
access-list outside extended permit icmp any any
access-list outside extended permit tcp any host 1.1.1.1 eq domain
access-list outside extended permit udp any host 1.1.1.1 eq domain

access-group inside in interface diba
access-group outside in interface outside

When I launch a packet-trace simulating a request to the server from internet to the server through TCP domain it seems the implicit rule is dropping the rule. I attach the packet-tracer output. Nat-control is enabled.

Any idea.

Thank so much,

Francisco

6 REPLIES
Hall of Fame Super Blue

Re: Static NAT not working

fdelcura@satec.es

Hi all:

I'm trying to configure a static NAT on ASA 5540 (8.2). I want anyone could access to the server through DNS (TCP & UDP).

My config is the next:

static (inside,outside) 1.1.1.1 192.168.209.3 netmask 255.255.255.255

access-list inside extended permit ip any any
access-list inside extended permit icmp any any
access-list outside extended permit icmp any any
access-list outside extended permit tcp any host 1.1.1.1 eq domain
access-list outside extended permit udp any host 1.1.1.1 eq domain

access-group inside in interface diba
access-group outside in interface outside

When I launch a packet-trace simulating a request to the server from internet to the server through TCP domain it seems the implicit rule is dropping the rule. I attach the packet-tracer output. Nat-control is enabled.

Any idea.

Thank so much,

Francisco

Francisco

What is the "diba" interface ? Is that where the 192.168.209.3 server is reached from ?

If so you need your static to be -

static (diba,outside) 1.1.1.1 192.168.209.3 netmask 255.255.255.255

Jon

Re: Static NAT not working

Sorry, it was a mistake, diba is inside interface:

access-group inside in interface inside
access-group outside in interface outside

Inside is from the server is allocated.

New Member

Re: Static NAT not working

Hi Francisco,

Can you check to make sure the security levels on the interfaces aren't the same or post a "show nameif" just incase you are suffering from CSCsz50714.

Thx

Frank

Re: Static NAT not working

Thank you Frank Vo. I'll introduce the command on ASA and I'll tell you the result

Re: Static NAT not working

Hello

It seems it didn't work. The same problem than before

I don't understand what's the problem, I though this config wasn't difficult!

If anyone has any idea...

Thanks

Re: Static NAT not working

Problem fixed. I configured a high security level on inside interface than outside and it works

540
Views
5
Helpful
6
Replies
CreatePlease to create content