Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

static nat not working.

Hi,

I have run into problems configuring static nat on a ASA5510-K8 running software version 7.0(6).

Hope I can solve it with a little help from the experts in here.

I have a public subnet available.

First IP is in use by the router

Second IP is used for the ASA

I want to use the 5th (3rd and 4th in use by other hosts) to static nat to an inside hosts (https)

But though configured, it does not work.

This is part of my configuration.

ASA Version 7.0(6)

!

names

name 10.1.1.17 W2K-CXW-HRN

name 10.1.1.12 Esafe

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address xx.xx.62.34 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.1.254.2 255.255.0.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit icmp any any unreachable

access-list outside_access_in extended permit tcp any interface outside eq smtp

access-list outside_access_in extended permit tcp any host xx.xx.62.37 eq https

access-list outside_access_in extended deny ip any any log

access-list inside_access_in extended permit icmp any any echo log

access-list inside_access_in extended permit icmp any any echo-reply log

access-list inside_access_in extended permit udp 10.1.0.0 255.255.0.0 any eq domain

access-list inside_access_in extended permit tcp 10.1.0.0 255.255.0.0 any eq ftp

access-list inside_access_in extended permit tcp host Esafe any eq smtp

access-list inside_access_in extended permit tcp 10.1.0.0 255.255.0.0 any eq pptp

access-list inside_access_in extended permit tcp 10.1.0.0 255.255.0.0 any eq 3389

access-list inside_access_in extended permit tcp 10.1.0.0 255.255.0.0 any eq www

access-list inside_access_in extended permit tcp 10.1.0.0 255.255.0.0 any eq https

asdm image disk0:/asdm506.bin

nat-control

global (outside) 10 interface

nat (inside) 10 10.1.0.0 255.255.0.0

static (inside,outside) tcp 217.166.62.37 https W2K-CXW-HRN https netmask 255.255.255.255

static (inside,outside) tcp interface smtp Esafe smtp netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 xx.xx.62.33 1

Did I make an obvious mistake?

6 REPLIES

Re: static nat not working.

Looks good have you done a " clear xlate " after changing or adding the static NAT ?

Take care this will reset all sessions.

sincerely

Patrick

New Member

Re: static nat not working.

Yes, I tried "clear xlate",problem remained.

I wonder if it is a problem with 7.0(6) software.

Michael

New Member

Re: static nat not working.

Hello,

I have the same problems with asa 5510 version 7.2(1)

I have open a TAC service request. And i'm waiting for response.

I post As soon as i have the solution

Best regards

New Member

Re: static nat not working.

I also opened a TAC case.

Waisted another day to try and fix this.

Will post progress in here.

Regards

Re: static nat not working.

In the meantime, you can try to do basic config without using alias or name to represent the server - use IP instead.

Also, on the static command, use direct translationwithout using 'port-redirection' mapping. For example:

access-list outside_access_in extended permit icmp any host xx.xx.62.37 --> testing purposes, remove after testing.

access-list outside_access_in extended permit tcp any host xx.xx.62.37 eq https

static (inside,outside) 217.166.62.37 10.1.1.17 netmask 255.255.255.255

*Use ping test to ensure the host is reachable from outside

*chk ACL using 'sh access-list outside_access_in' to verify incoming traffic hitcount

This can help you to eliminate 'feature' related issue, like using name instead of IP, and direct mapping instead of 'port redirection' format. I used to do this when I first configure the firewall. Once everthing confirm working fine, then only I used the 'fancy' features.

If it's really caused by a bug, the above should not working as well. But it's worth to try.

HTH

AK

New Member

Re: static nat not working.

I am having this same issue with 7.2(1) on a 515E, I would try and create access-list / static's in the same format as you show here only I did not use any names... and for some reason they would not "turn on" even after clear xlate ...etc they did start to work after a bit but I was confused for a long period.

281
Views
0
Helpful
6
Replies