Create static nat rule cli

I need to create a static nat rule that allows outside requests to the inside interface using http. I also need to create an access rule for this. Can someone please explain and show me the command I need to use in asa 5500 firewall version 9.x?
Thanks!

Hi,
Do you mean that you want to create Static NAT rule where the local IP address is the actual IP address of the ASA "inside" interface?
If so then that is not possible. You wont be able to connect to the "inside" interface through another interface even when using NAT configuration.
You would have to use VPN connection to be able to connect to the "inside" interface IP address.
Otherwise you will need to connect to the ASA with using the "outside" interface IP address.
If you meant that you want to configure Static NAT for some internal host then the configuration format would be
object network STATIC
host
nat (inside,outside) static
Hope this helps
- Jouni

Similar Messages

  • Overlaping Static NAT Rule

    Hello All . I have an issue while creating NAT rule i am having the Error Overlaping Static NAT Rule
    Here is the details
    I have already configured static NAT for RDP 3389 Traffic to my host 192.168.1.128 which is working fine. (so i can RDP from outside )
    However now i want 9090 port to be translated to 3389 for another host 192.168.1.13 (so i can put 9090 port when i do the RDP to reach the .13 server )
    i am receving the Error "
    Overlaping Static NAT Rule "
    I dont understand how can it be overpaped ?
    (see screen shot )
    Please help how can i have another Rule with PAT to the Translated port in the ASA ?

    Hi,
    Seems to me that you have the ports the wrong way around in the new configuration.
    Your Original port is TCP/9090 which would mean that this would be the actual local port on the host. And you have set the Translated port as TCP/3389 which means that this is the public/mapped port.
    Considering you have a Static PAT (Port Forward) already configure for port TCP/3389 this naturally overlaps.
    So in the configuration window where you define the ports switch their places and it should be fine.
    Hope this helps
    - Jouni

  • Static NAT using access-lists?

    Hi,
    i have an ASA5520 and im having an issue with static nat configuration.
    I have an inside host, say 1.1.1.1, that i want to be accessible from the outside as address 2.2.2.2.
    This is working fine. The issue is that i have other clients who i would like to access the host using its real physical address of 1.1.1.1.
    I have got this working using nat0 as an exemption, but as there will be more clients accessing the physical address than the nat address i would like to flip this logic if possible.
    Can i create a nat rule that only matches an access list i.e. 'for clients from network x.x.x.x, use the nat from 2.2.2.2 -> 1.1.1.1' and for everyone else, dont nat?
    My Pix cli skills arent the best, but the ASDM suggests that this is possible - on the nat rules page there is a section for the untranslated source to ANY, and if i could change ANY i would but dont see how to...
    Thanks,
    Des

    Des,
    You need to create an access-list to be used with the nat 0 statement.
    access-list inside_nonat extended permit ip 1.1.1.1 255.255.255.255 2.2.2.2 255.255.255.255
    - this tells the pix/asa to NOT perform NAT for traffic going from 1.1.1.1 to 2.2.2.2
    then use NAT 0 statement:
    nat (inside) 0 access-list inside_nonat
    to permit outside users to see inside addresses without NAT, flip this logic.
    access-list outside_nonat extended permit ip 2.2.2.2 255.255.255.255 1.1.1.1 255.255.255.255
    nat (outside) 0 access-list outside_nonat
    you'll also have to permit this traffic through the ACL of the outside interface.
    access-list inbound_acl extended permit ip 2.2.2.2 255.255.255.255 1.1.1.1 255.255.255.255
    - Brandon

  • How to configure Multiple static NATs

    Hi,
    I am trying to configure a Cisco 871 router.
    I have 3 servers on my network that need static public IPs but also still need to communicate on the local network.
    I have given my WAN interface the first IP in the block and set up PAT for the rest of the computers on the network which is working fine. Next I set up static NAT rules for the servers translating 3 of the remaining public IPs to the internal addresses of the servers.
    I can access those servers internally using the public IPs but not from outside the network. A tracroute from outside the network gets dropped when it gets to my ISP.
    I've never configured more than one static ip for a network before and i know i've just missed a step here. Do I also need to set up static routes? Will that update the next hop's routing table?
    Thanks in advance for any help.

    You can execute multiple apply processes ( parallel parameter ). It is pretty much scalable.
    There is one thing why 2 propagate processes can be helpfull: I consulted one client with different reqs for replication delivery for different tables. In this case you can create 2 propagate processes in different schemas (with different db links).
    For maitainence point of view one propagation and one apply is better
    Regards,
    SergeR

  • NAT 8.6 multiple subnets in a single static NAT

    Hello all, I have this question, probably pretty an easy to answer, but unfortunately I can't test it myself in a production environment right now.
    Do you know if is possible to have in ASA 8.6 a Static NAT rule with multiple subnets in both object groups. I currently have one to one subnet translation, but I need to add another two subnets.
    Today's configuration is this
    *** FROM ONE SUBNET TO ANOTHER ***
    object-group network REGIONAL-SOURCE
    network-object 10.1.1.0 255.255.255.0
    object-group network REGIONAL-NAT
    network-object 10.1.201.0 255.255.255.0
    nat (Outside,Inside) after-auto source static REGIONAL-SOURCE REGIONAL-NAT dns
    What I need to accomplish is add two new subnets, but I want to see if is possible to do it using the same NAT rule, just adding the new 2 subnets.
    10.1.2.0/24 natted to 10.1.202.0 255.255.255.0
    10.1.3.0/24 natted to 10.1.203.0 255.255.255.0
    *** TWO MORE SUBNETS ARE NEEDED ***
    object-group network REGIONAL-SOURCE
    network-object 10.1.2.0 255.255.255.0
    network-object 10.1.3.0 255.255.255.0
    object-group network REGIONAL-NAT
    network-object 10.1.202.0 255.255.255.0
    network-object 10.1.203.0 255.255.255.0
    If this is not possible I understand separate objects should be created with individual nat, I appreciate your comments and help.

    Hi,
    This should be no problem. It should work as you have thought.
    I tested the configurations on my own ASA
    object-group network REGIONAL-SOURCE
    network-object 10.1.1.0 255.255.255.0
    network-object 10.1.2.0 255.255.255.0
    network-object 10.1.3.0 255.255.255.0
    object-group network REGIONAL-NAT
    network-object 10.1.201.0 255.255.255.0
    network-object 10.1.202.0 255.255.255.0
    network-object 10.1.203.0 255.255.255.0
    nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT
    Here at the results of the "packet-tracer" to show the translations
    ASA(config)# packet-tracer input LAN tcp 10.1.1.100 12345 7.7.7.7 80
    Phase: 4
    Type: NAT
    Subtype:
    Result: ALLOW
    Config:
    nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT
    Additional Information:
    Static translate 10.1.1.100/12345 to 10.1.201.100/12345
    ASA(config)# packet-tracer input LAN tcp 10.1.2.100 12345 7.7.7.7 80
    Phase: 4
    Type: NAT
    Subtype:
    Result: ALLOW
    Config:
    nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT
    Additional Information:
    Static translate 10.1.2.100/12345 to 10.1.202.100/12345
    ASA(config)# packet-tracer input LAN tcp 10.1.3.100 12345 7.7.7.7 80
    Phase: 4
    Type: NAT
    Subtype:
    Result: ALLOW
    Config:
    nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT
    Additional Information:
    Static translate 10.1.3.100/12345 to 10.1.203.100/12345
    As you can see, everything is fine
    Naturally take into consideration the fact that if you were to (for some reason) remove a "network-object" statement from some "object-group" then the operation of the "nat" would change even if you entered the removed "network-object" back. (unless you removed the last "network-object" inside the "object-group") This is because the order of the "network-object" inside the "object-group" would change. You would essentially have to recreate the "object-group" and "nat" configuration.
    Hope this helps
    Please do remember to mark a reply as the correct answer if it answered your question.
    Feel free to ask more if needed
    - Jouni

  • ASA 8.2 - Static NAT and Dynamic NAT Policy together

    Hello community,
    I have the following problem using a ASA with version 8.2.
    1) I have this segment on interface Ethernet 0/0: 192.168.1.0/24
    2) Through interface Ethernet 0/1 I will reach several servers using the same source IP, but other servers must be reached using only one IP, for example 192.168.1.70
    so, I have configured a Static NAT Rule from interface Ethernet0/0 to interface Ethernet 0/1 which NAT the source IPs to the same IPs: 192.168.1.0/24->192.168.1.0/24. Also I have configured a Dynamic NAT Policy that states when destination IP is "server list" then all the source IPs must be translated to 192.168.1.70.
    PROBLEM: when testing it...always the static wins....and Dynamic is never analyzed...Also, no priority for the NAT policy and NAT rules can be done on ASDM...what can I do? is there a way to do this on ASDM or CLI? (preferrely at ASDM)
    Thanks for your reply and help!

    Hello community,
    I have the following problem using a ASA with version 8.2.
    1) I have this segment on interface Ethernet 0/0: 192.168.1.0/24
    2) Through interface Ethernet 0/1 I will reach several servers using the same source IP, but other servers must be reached using only one IP, for example 192.168.1.70
    so, I have configured a Static NAT Rule from interface Ethernet0/0 to interface Ethernet 0/1 which NAT the source IPs to the same IPs: 192.168.1.0/24->192.168.1.0/24. Also I have configured a Dynamic NAT Policy that states when destination IP is "server list" then all the source IPs must be translated to 192.168.1.70.
    PROBLEM: when testing it...always the static wins....and Dynamic is never analyzed...Also, no priority for the NAT policy and NAT rules can be done on ASDM...what can I do? is there a way to do this on ASDM or CLI? (preferrely at ASDM)
    Thanks for your reply and help!

  • Static NAT Pre 8.3 ASA no untranlate hits

    Hello all---
    Having an issue w a pre 8.3 ASA static NAT.   The intention is to static nat an antivirus server hanging off our DMZ interface on the ASA- that address being 192.168.255.2….. to one of our public IP address (for the sake of this forum) 44.44.44.44.  The ASA DMZ interface is 192.168.255.1.
    I’ve configured the static NAT rule and the access ACLs on both the outside interface and dmz interface. For the sake of testing, I used just IP as the service –will restrict it later w the correct service ports once I know it’s working- and for now just have a windows laptop acting as the server for testing.
    What I’m seeing is incrementing translate hits, but no untranslated hits at all when performing the command:   show nat dmz outside 192.168.255.2 255.255.255.255
    match ip dmz host 192.168.255.2 outside any
        static translation to 44.44.44.44
        translate_hits = 549, untranslate_hits = 0
      match ip dmz any outside any
        no translation group, implicit deny
        policy_hits = 170905
    Also, I see no hits at all on the acl for the outside interface when trying to do a ping or telnet to ports running on the laptop\server.
    So, it’s obviously translating out- to the public, but not from the public in to the private. Almost like it’s not reaching that public IP. We have other publics we translate to for other services…..with no issue
    Here’s the pertinent lines – pretty simple at this point.
    Outside Interface ACL
    access-list acl_out line 48 extended permit ip any host 44.44.44.44
    DMZ interface ACL
     access-list dmz_access_in line 3 extended permit ip any any
    NAT Statement on DMZ interface
    static (dmz,outside)  44.44.44.44 192.168.255.2 netmask 255.255.255.255
    Any help or clarification is appreciated……   thanks   Dennis…

    Try seeing what the ASA is doing with the return traffic using packet tracer utility as follows:
    packet-tracer input outside tcp 8.8.8.8 1025 44.44.44.44 23
    ...substituting the actual public NAT address for the 44.44.44.44 of course. (If you were using 8.3+ you would specify the real end host IP address.)
    Here's a link to the command reference for more details.

  • Static nat configuration help

    Hi,
    I have the following setup that i am tasked with creating static nat for and i am a little lost with getting the correct nat working.
    Here is the setup:
    Internal servers behind firewall 192.168.1.0/24
    Firewall external interface is 192.168.5.36
    Firewall external interface is connected to inside gig0/0 interface on cisco router.
    cisco router currently, it has a sub interface g0/0.5 with ip 192.168.5.41.
    on the outside cisco interface, serial1/0 is an ip, 10.1.2.3.
    Beyond serial1/0 are multiple remote hosts, such as...
    10.8.10.5
    10.20.10.16
    10.20.12.12
    these are remotely managed by another company.
    Now, for the static nat, we want to do the following:
    translate 192.168.5.66 -> 10.8.10.5
    translate 192.168.5.67 -> 10.20.10.16
    translate 192.168.5.68 -> 10.20.12.12
    Internal hosts behind the firewall would communicate via 192.168.5.66, 67 or 68, and the cisco router would translate these to appropriate addresses.
    Note that 192.168.5.66,67,68 don't exist as yet, my understanding (which is possibly wrong) is that once nat is correctly setup they will just work and the cisco router will do the translations.
    I've tried some different scenarios with ip nat inside, ip nat outside and nvi (Cisco IOS is 12.4(11)XW3) but am failing to get proper translation happening.
    Most examples i've seen involve the internal "to be translated" address actually being an internal server, not something that gets configured on the cisco router by a nat translation.
    Is this possible?
    or have i got it completely wrong? i.e .should the addresses 192.168.5.66,67,68 be configured somewhere?
    Thanks in advance,
    Regards,
    Les

    Michael,
    Thanks for your reply, i had seen that doc before, but it wasn't enough to get things working for me. Most of the examples i have seen were similar to this, and involved nat where an internal host address was being nat'ed. In my case, the address to nat didn't exist on an internal host and to translate correctly i needed to define both and inside source static and an identical outside source static entry. I also had to change which interface was outside and inside.
    i.e.
    int g0/0.5
    ip nat outside
    int serial1/0
    ip nat inside
    ip nat inside source static 10.8.10.5 192.168.5.66
    ip nat outside source static 10.8.10.5 192.168.5.66
    with that config my translation table looked like...
    #sh ip nat tra
    Pro Inside global      Inside local       Outside local      Outside global
    ---   ---                           ---                        192.168.5.66     10.8.10.5
    --- 192.168.5.66     10.8.10.5        ---                         ---
    And debug ip nat detailed showed correct translations happening:
    # ping from 192.168.5.36
    Sep  4 06:18:07.807: NAT*: o: icmp (192.168.5.36, 8494) -> (192.168.5.66, 8494) [43]    
    Sep  4 06:18:07.807: NAT*: o: icmp (192.168.5.36, 8494) -> (192.168.5.66, 8494) [43]
    Sep  4 06:18:07.807: NAT*: s=192.168.5.36, d=192.168.5.66->10.8.10.5 [43]
    if i had only an inside source static address then the translations never happened.
    So i have a working config now.
    Regards,
    Les

  • Sort order from NAT rules via CLI

    Hi all,
    im a newbie here and i have my first question. Hope you can help me to find a solution.
    Is there a way to change the order of NAT statements via CLI in Cisco ASA IOS 9.1 ?
    By ASDM i can change the order and bring them up and down to the place where i must have them, but i found no way to do this via CLI.
    Any Ideas?
    Greetings from germany
    Marco

    You would need to remove the NAT statements and then re-add them in the order you want them to appear.  The ASDM does it the same way but makes it easier by you just having to move the NAT rule to where you want it and apply...the ASDM does the rest.  If you set your ASDM to show the commands before they are applied you will see how the ASDM does this.  The setting is under Tool > Preferences and select Preview commands before sending them to the device
    Please remember to select a correct answer and rate helpful posts

  • ASA 5505 NAT rules blocking inside traffic

    Previous attempts to set up these NAT rules has been met with minimal success. We have been able to get the NAT rules created, and able to ping our inside servers and receivers from a  different outside network, but every time we get that far our internal network crashes.  Running the Packet Trace utility via the ASDM shows that internal traffic from the servers to  the workstations is being blocked by the default implicit rule under the access rule heading  that states "any to any, service being ip, action= deny". Reverse traffic from the workstations to  the servers is being allowed though. In an effort to start over again, the Cisco ASA has been  Factory Defaulted via the CLI, and has had it's Inside network, and Outside IP address set back up. DHCP pool has been setup for a minimal amount of addresses on the   inside network, since  most of our equipment will always be assigned statics. We reset our static NAT policies, and  seem to be having the same problem. My partner and I have been working on this for some time now, and have ourselves so frustrated that I know we are missing something simple. Any help will be greatly appreciated.
    Embarq :          Network                                      xxx.xxx.180.104
    Gateway:                                                             xxx.xxx.180.105
    Subnet Mask:                                                     255.255.255.248
    Our Static IP's:                                                    xxx.xxx.180.106 to xxx.xxx.180.110
    Cisco Pix for VPN tunnels :                              xxx.xxx.180.107  outside IP
        used for DataBase Servers :                        100.1.0.2  Inside IP/ Gateway 2
    Cisco ASA 5505:                                               xxx.xxx.180.106  outside IP
        all other traffic :                                              100.1.0.1  Inside IP/ Gateway 1
    Inside Network:                                                 100.1.0.0/24
    Application Server:                                          100.1.0.115 uses Gateway 1
    BackUp AppSrvr:                                             100.1.0.116 uses Gateway 1
    DataBase Server:                                            100.1.0.113 uses Gateway 2
    BackUp DBSrvr:                                               100.1.0.114 uses Gateway 2
    Cobox/Receiver:                                               100.1.0.140
    BackUp Cobox:                                                 100.1.0.150
    Workstation 1:                                                   100.1.0.112
    Workstation 2:                                                   100.1.0.111
    Network Speaker1,2,3,4:                                 100.1.0.125 to 100.1.0.128
    Future Workstations:                                        100.1.0.0/24
    1.           Embarq Gateway feeds both Cisco Pix, and Cisco ASA. Both Ciscos feed a Dell Switch.
    2.           All inside network devices at 100.1.0.0/24 are networked into the Dell Switch.
    3.           All Workstations/Network Speakers need to be able to communicate with all four servers, and   the Cobox/Receiver.
    4.          The DataBase Servers have VPN tunnels created in the Pix for clients to be able to login  securely and edit their account info.
    5.          The App Server (100.1.0.115), and BackUp App Srvr (100.1.0.116) need to have a NAT rule  created NAT'ing them to xxx.xxx.180.109.
          A.          The xxx.xxx.180.109 NAT rule needs to allow ALL UPD traffic TO and FROM ANY outside    IP address.
          B.          The xxx.xxx.180.109 NAT rule needs to allow ICMP traffic FROM ANY Outside IP address.
    6.          The Cobox/Receiver (100.1.0.140) and BackUp Cobox (100.1.0.150) need to have a NAT rule created NAT'ing them to xxx.xxx.180.108
          A.          The xxx.xxx.180.108 NAT rule needs to allow UDP traffic FROM ANY Outside IP address source port 6000 or 9000 to destination port 9000
          B.           The xxx.xxx.180.108 NAT rule needs to allow ICMP traffic FROM ANY Outside IP address.
    7.          Right now the Cisco PIX is functioning and working perfectly for our VPN tunnels.
    8.         
    : Saved
    ASA Version 8.2(5)
    hostname ciscoasa
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 100.1.0.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address xxx.xxx.180.106 255.255.255.248
    ftp mode passive
    same-security-traffic permit intra-interface
    object-group protocol DM_INLINE_PROTOCOL_2
    protocol-object ip
    protocol-object icmp
    protocol-object udp
    protocol-object tcp
    object-group protocol DM_INLINE_PROTOCOL_1
    protocol-object ip
    protocol-object icmp
    protocol-object udp
    protocol-object tcp
    object-group protocol DM_INLINE_PROTOCOL_3
    protocol-object ip
    protocol-object icmp
    protocol-object udp
    protocol-object tcp
    object-group protocol DM_INLINE_PROTOCOL_4
    protocol-object icmp
    protocol-object udp
    object-group protocol DM_INLINE_PROTOCOL_5
    protocol-object icmp
    protocol-object udp
    access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 any xxx.xxx.180.104 255.255.255.248
    access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 host xxx.xxx.180.108 any
    access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_5 host xxx.xxx.180.108 any
    access-list inside_access_allow extended permit object-group DM_INLINE_PROTOCOL_2 100.1.0.0 255.255.255.0 100.1.0.0 255.255.255.0
    access-list inside_access_allow extended permit object-group DM_INLINE_PROTOCOL_1 any any
    access-list inside_nat_static extended permit udp host 100.1.0.140 eq 9000 any
    access-list inside_nat_static_1 extended permit ip host 100.1.0.115 any
    access-list inside_nat0_outbound extended permit ip 100.1.0.0 255.255.255.0 100.1.0.0 255.255.255.0
    access-list outside_nat_static extended permit udp host xxx.xxx.180.108 eq 6000 host 100.1.0.140
    access-list outside_nat_static_1 extended permit ip host xxx.xxx.180.109 host 100.1.0.115
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    no asdm history enable
    arp timeout 14400
    nat-control
    global (inside) 1 100.1.0.3-100.1.0.254 netmask 255.0.0.0
    nat (inside) 0 access-list inside_nat0_outbound
    static (inside,outside) udp xxx.xxx.180.108 6000 access-list inside_nat_static
    static (outside,inside) udp 100.1.0.140 9000 access-list outside_nat_static
    static (inside,outside) xxx.xxx.180.109  access-list inside_nat_static_1
    static (outside,inside) 100.1.0.115  access-list outside_nat_static_1
    access-group outside_access_in in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 100.1.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto ca trustpoint _SmartCallHome_ServerCA
    crl configure
    crypto ca certificate chain _SmartCallHome_ServerCA
    certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    dhcpd address 100.1.0.5-100.1.0.15 inside
    dhcpd dns 71.0.1.211 67.235.59.242 interface inside
    dhcpd auto_config outside interface inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    prompt hostname context
    call-home reporting anonymous
    Cryptochecksum:52e69fa95fcffd43ed9e73df320e3a55
    : end
    no asdm history enable

    OK. Thank you very much for your help. I am going to get with the powers that be to upgrade the "Base" license in this ASA.
    In the meantime I will Close and Rate this post for now so others can get this info also.
    If we have any further issues after the upgrade, then I will open a new post.
    Thanks again. We new it was something simple. Not sure how we overlooked that, but hey we're getting somewhere now.

  • Static-nat and vpn tunnel bound traffic from same private address?

    Hi guys,
    I have site-to-site tunnel local host @192.168.0.250 and remote-host @172.16.3.3.
    For this local host @192.168.0.250, I also have a static one-to-one private to public.
    static (mgmt-192,outside-50) 216.9.50.250 192.168.0.250 netmask 255.255.255.255
    As you can see, IPSec SA shows end-points in question and traffic is being decrypted but not encrypted host traffic never enter into the tunnel, why?
    How can I resolve this problem, without complicating the setup ?
    BurlingtonASA1# packet-tracer input mgmt-192 icmp 192.168.0.250 8 0 172.16.3.3
    Phase: 1
    Type: CAPTURE
    Subtype: 
    Result: ALLOW
    Config:
    Additional Information:
    MAC Access list
    Phase: 2
    Type: ACCESS-LIST
    Subtype: 
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    MAC Access list
    Phase: 3
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   0.0.0.0         0.0.0.0         outside-50
    Phase: 4
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   192.168.0.0     255.255.255.0   mgmt-192
    Phase: 5
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group mgmt_intf in interface mgmt-192
    access-list mgmt_intf extended permit icmp any any 
    access-list mgmt_intf remark *** Permit Event02 access to DMZ Intf ***
    Additional Information:
    Phase: 6
    Type: IP-OPTIONS
    Subtype: 
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 7
    Type: INSPECT
    Subtype: np-inspect
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 8
    Type: NAT-EXEMPT
    Subtype: 
    Result: ALLOW
    Config:
    nat-control
      match ip mgmt-192 host 192.168.0.250 outside-50 host 172.16.3.3
        NAT exempt
        translate_hits = 5, untranslate_hits = 0
    Additional Information:
    Phase: 9
    Type: NAT
    Subtype: 
    Result: ALLOW
    Config:
    static (mgmt-192,outside-50) 216.9.50.250 192.168.0.250 netmask 255.255.255.255 
    nat-control
      match ip mgmt-192 host 192.168.0.250 outside-50 any
        static translation to 216.9.50.250
        translate_hits = 25508, untranslate_hits = 7689
    Additional Information:
    Phase: 10
    Type: NAT
    Subtype: host-limits
    Result: ALLOW
    Config:
    static (mgmt-192,dmz2-172) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 
    nat-control
      match ip mgmt-192 192.168.0.0 255.255.255.0 dmz2-172 any
        static translation to 192.168.0.0
        translate_hits = 28867754, untranslate_hits = 29774713
    Additional Information:
    Phase: 11
    Type: VPN
    Subtype: encrypt
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 12
    Type: FLOW-CREATION
    Subtype: 
    Result: ALLOW
    Config:
    Additional Information:
    New flow created with id 1623623685, packet dispatched to next module
    Result:
    input-interface: mgmt-192
    input-status: up
    input-line-status: up
    output-interface: outside-50
    output-status: up
    output-line-status: up
    Action: allow
    BurlingtonASA1# 
    Crypto map tag: map1, seq num: 4, local addr: 216.9.50.4
          access-list newvpn extended permit ip host 192.168.0.250 host 172.16.3.3 
          local ident (addr/mask/prot/port): (192.168.0.250/255.255.255.255/0/0)
          remote ident (addr/mask/prot/port): (172.16.3.3/255.255.255.255/0/0)
          current_peer: 216.9.62.4
          #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
          #pkts decaps: 53, #pkts decrypt: 53, #pkts verify: 53
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
          #send errors: 0, #recv errors: 0
          local crypto endpt.: 216.9.50.4, remote crypto endpt.: 216.9.62.4
          path mtu 1500, ipsec overhead 74, media mtu 1500
          current outbound spi: 37CA63F1
          current inbound spi : 461C843C
        inbound esp sas:
          spi: 0x461C843C (1176273980)
             transform: esp-aes-256 esp-sha-hmac no compression 
             in use settings ={L2L, Tunnel, }
             slot: 0, conn_id: 77398016, crypto-map: map1
             sa timing: remaining key lifetime (kB/sec): (3914997/25972)
             IV size: 16 bytes
             replay detection support: Y
             Anti replay bitmap: 
              0x003FFFFF 0xFFFFFFFF
        outbound esp sas:
          spi: 0x37CA63F1 (936010737)
             transform: esp-aes-256 esp-sha-hmac no compression 
             in use settings ={L2L, Tunnel, }
             slot: 0, conn_id: 77398016, crypto-map: map1
             sa timing: remaining key lifetime (kB/sec): (3915000/25972)
             IV size: 16 bytes
             replay detection support: Y
             Anti replay bitmap: 
              0x00000000 0x00000001

    Hi
    intersting VPN ACL
    object-group network DM_INLINE_NETWORK_18
         network-object YYY.YYY.YYY.0 255.255.255.0
    object-group network DM_INLINE_NETWORK_22
    network-object UUU.UUU.UUU.0 255.255.255.0
    access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_22 object-group DM_INLINE_NETWORK_18
    Static NAT
    static (Inside,outside) XXX.XXX.XXX.171 YYY.YYY.YYY.39 netmask 255.255.255.255
    No NAT
    object-group network DM_INLINE_NETWORK_20
    network-object UUU.UUU.UUU.0 255.255.255.0
    access-list Inside_nat0_outbound extended permit ip ZZZ.ZZZ.ZZZ.0 255.255.255.0 object-group DM_INLINE_NETWORK_20
    VPN CLient Pool
    No pool configured as it uses the interesting traffic or protected traffic in ASDM - UUU.UUU.UUU.0 is the IP address range at the far side of the site to site VPN.
    I hope this helps
    Thanks

  • Static nat and service port groups

    I need some help with opening ports on my ASA using firmware 9.1.2.
    I read earlier today that I can create service groups and tie ports to those.  But how do I use those instead of using 'object network obj-ExchangeSever-smtp' ? 
    I have the ACL -
    access-list incoming extended permit tcp any object-group Permit-1.1.1.1 interface outside
    Can this statement
    object network obj-ExchangeSever-smtp
    nat (inside,outside) static interface service tcp smtp smtp
    reference the service port groups instead? 
    Thanks,
    Andrew

    Hi,
    Are you looking a way to group all the ports/services you need to allow from the external network to a specific server/servers?
    Well you can for example configure this kind of "object-group"
    object-group service SERVER-PORTS
    service-object tcp destination eq www
    service-object tcp destination eq ftp
    service-object tcp destination eq https
    service-object icmp echo
    access-list OUTSIDE-IN permit object-group SERVER-PORTS any object
    The above would essentially let you use a single ACL rule to allow multiple ports to a server or a group of servers. (Depending if you use an "object" or "object-group" to tell the destination address/addresses)
    I am not sure how you have configured your NAT. Are they all Static PAT (Port Forward) configurations like the one you have posted above or perhaps Static NAT configurations?
    You can use the "object network " created for the NAT configuration in the above ACL rule destination field to specify the host to which traffic will be allowed to. Using the "object" in the ACL doesnt tell the ASA the ports however. That needs to be configured in the above way or in your typical way.
    Hope this helps
    - Jouni

  • DMZ static nat!

    Hi Experts,
    I believe this everyone is doing OK and getting along with your are doing? I have this funny scenario that happened on ASA 8.4 I configured recently for DMZ static nat. See the topology attached.
    I did configure the inside with a PAT
    object network INSIDE
       subnet 192.168.200.0 255.255.255.0
       nat (inside,outside) dynamic interface
    That is working perfectly for inside to outside, So i have this server on the dmz, some edge mail server for the client that is meant for the outside world to reach. Sure enough I was happy that with the ASA 8.4 software that doing DMZ static nat I don't have to do with ACL to allow access anymore I mean I thought that has been depricated on the 8.3 and higher release.
    I went on configuring the DMZ static nat like this
    object network DMZ_MAILEDGE_SERVER
    host 172.16.1.2
    object network DMZ_GLOBAL
    host 1.1.1.2
    object network DMZ_MAILEDGE_SERVER
    nat (dmz,any) static DMZ_GLOBAL
    I was happy that finally i get to feel what the new dmz config on 8.4 should feel like.....I tried pinging my dmz server from outside, no joys at all. Did all i could to do even had to cross check the internet for config samples, everything looked good. Still no joys.
    Then i though of creating an access list to permit ip from the OUTSIDE interface to the DMZ, like so,
    access-list outside_access_in extended permit ip any object DMZ_MAILEDGE_SERVER
    Then did my pings started going through for me to reach the server.
    I don't know it feels all weird to me, since i was expecting configs 1 and 2 to get things going for me on software 8.4 not until i had to add config 3.
    Please someone should tell me I am getting it all wrong and let me know what i did wrongly!
    Thanks
    Teddy
    OK i know the first part of the situation is solved and I'm grateful to Jouni who elaborated me on it. But I have yet another pending situation that I could use a help here and really wouldn't mind been told this is where i got it all wrong.
    So finally I could reach the Server on the DMZ from outside via the static nat. Yay!!! But I have some services that needs to be reached on the mailserver on the DMZ side of the network.
    Services like:
      dns 53, 193
      smtp 25
    My question is, do i place the access list to permit these service from outside to dmz like this below ?
    access-list outside_access_in extended permit udp any object DMZ_MAILEDGE_SERVER eq dnsix
    access-list outside_access_in extended permit udp any object DMZ_MAILEDGE_SERVER eq domain
    access-list outside_access_in extended permit tcp any object DMZ_MAILEDGE_SERVER eq smtp
                                                                      OR THIS
    access-list outside_access_dmz extended permit udp any eq dnsix object DMZ_MAILEDGE_SERVER eq dnsix
    access-list outside_access_dmz extended permit udp any eq domain object DMZ_MAILEDGE_SERVER eq domain
    access-list outside_access_dmz extended permit tcp any eq smtp object DMZ_MAILEDGE_SERVER eq smtp
    Which direction would be more appropriate to go via?
    Also from the front end mail server, If i try to ping the internet say a domain name like www.yahoo.com, it would only resolve the name but the ping are not going thru.
    Thanks for your advice in advance.
    I say this not to undermine anybody's help, Jouni please if you see this I would also appreciate your contribution too!
    Cheers!
    Teddy

    Hi,
    The NAT configurations seem just fine but I would configure them the Static NAT a bit differently (doesnt mean you have to though)
    What I would do is simply state the public IP address in the NAT configuration rather than configure "object network" for the public IP address too
    Your configuration is
    object network DMZ_MAILEDGE_SERVER
    host 172.16.1.2
    object network DMZ_GLOBAL
    host 1.1.1.2
    object network DMZ_MAILEDGE_SERVER
    nat (dmz,any) static DMZ_GLOBAL
    My version would be
    object network DMZ_MAILEDGE_SERVER
    host 172.16.1.2
    nat (dmz,any) static 1.1.1.2
    The simple reason for me would be keeping the "object network" amount at minimum and the fact that we dont need to reference the public IP address in any ACL configurations usually.
    What you originally saw happening with the configurations 1 and 2 configured is to be expected. You will always need the configuration 3 which is the ACL to allow the traffic from the "outside".
    If the "outside" interface doesnt have any ACL configured then it relies on the "security-level" alone which should be "0". This usually means that no traffic can enter from "outside" to any other interface on the ASA because all the other interfaces are above "security-level 0" and traffic is only allowed from HIGHER -> LOWER when there is NO ACLs. So the natural step to allow this traffic is to configure ACL with the appropriate rules and attach it to the "outside" interface.
    Hope this helps
    Please remember to mark a reply as the correct answer if it has answered your question.
    Naturally ask more if your question wasnt answered.
    - Jouni

  • Static NAT or NAT exemption?

    So my situation is kind of unique. I'm currently configuring an ASA5510 (ver. 8.4) to replace an OpenBSD router box. My company was originally given a /24 of public IP's.....yes it's weird. We are currenly working on eliminating the public vlan in our office. Currently half the company is using these public IPs for their computers and half are on a private vlan. We also have several servers on the public vlan. Everything is connected to a layer 3 switch that routes between these computers. When we first implement the ASA we want to leave the servers on the public vlan and have them still accessible from the outside by the same IP address. Currently the OpenBSD box just doesn't NAT the public vlan.
    We were looking at 2 solutions.
    1. NAT the server IPs to itself. ie. if the server has an IP of 80.80.80.2 then the nat statement would looke something like:
    nat (inside,outside) 80.80.80.2 80.80.80.2
    This is what we think would work best.
    2. We create a nat exemption rule for that entire public vlan.
    Is our theory correct that option 1 works best? Any other suggestions? We do not want to implement a DMZ because we have such sensitive data and only our web server could exist in our DMZ. My company is small....the simpler the solution, the better.

    only difference in these options are that static identity nat would create a xlate entry on the firewall however if you use nat exempt that would not create the xlate on the firewall.

  • Static NAT to two servers using same port

    I have a small office network with a single public IP address. Currently we have a static nat for port 443 for the VPN. We just received new software that requires the server the software is on to be listening on port 443 across the internet. Thus, essentially I need to do natting (port forwarding) using port 443 to two different servers.
    I believe that the usual way to accomplish this would be to have the second natting use a different public facing port, natted to 443 on the inside of the network (like using port 80 and 8080 for http). But, if the software company says that it must use port 443, is there any other way to go about this? If, for example, I know the IP address that the remote server will be connecting to our local server on, is there any way to add the source IP address into the rule? Could it work like, any port 443 traffic also from x.x.x.x, forward to local machine 192.168.0.2. Forward all other port 443 traffic not from x.x.x.x to 192.168.0.3.
    Any help would be very much appreciated.
    Thanks,
    - Mike                  

    Hi,
    Using the same public/mapped port on software levels 8.2 and below would be impossible. Only one rule could apply. I think the Cisco FWSM accepts the second command while the ASA to my understanding simply rejects the second "static" statement with ERROR messages.
    On the software levels 8.3 and above you have a chance to build a rule for the same public/mapped port WHEN you know where the connections to the other overlapping public/mapped port is coming from. This usually is not the case for public services but in your situation I gather you know the source address where connections to this server are going to come from?
    I have not used this in production and would not wish to do so. I have only done a simple test in the past for a CSC user. I tested mapping port TCP/5900 for VNC twice while defining the source addresses the connections would be coming from in the "nat" configuration (8.4 software) and it seemed to work. I am not all that certain is this a stable solution. I would imagine it could not be recomended for a production environment setup.
    But nevertheless its a possibility.
    So you would need the newer software on your firewall but I am not sure what devce you are using and what software its using.
    - Jouni

Maybe you are looking for

  • What Mac to get for Final Cut Studio?

    I've been doing most of my video editing for the last year or so in Sony Vegas on a PC. I'm looking to get into it a bit more seriously and want to make the switch to Final Cut Studio. Can I run it on a Macbook Pro? Can I run it WELL on a Macbook Pro

  • Bean Value display in JSP Page

    Hi, I am trying to display a value stored in my bean on the jsp page. The value is to be displayed on the initial jsp page.    public void doInitialization()           request = (IPortalComponentRequest) this.getRequest();           response = (IPort

  • This book has been returned.  Loan not on record

    I've used Adobe Dig Ed on a Windows XP computer for years with no problems.  I recently switched over to Windows 8.1, and reinstalled Adobe DE, and went through the authorization step for the computer.  Then I downloaded two books from the library, a

  • Redefining default keyboard shortcuts for dashboard, exposé, etc.

    Hi, I would like to redefine the keyboard shortcuts for the Dashboard, Dock, and Exposé functions, i.e. I don't want these functions to be bound to the f8-f11 keys. I can redefine the shortcuts manually using the Keyboard pane of the System Preferenc

  • HT1430 imessage not working

    iMessage Activation Could not sign in. Please check your network connection and try again. please help me fix this.