troubleshooting Question

Cisco ASA 5510 - NAT Problems with Web Server

Avatar of ISoul
ISoulFlag for Canada asked on
Hardware Firewalls
9 Comments1 Solution991 ViewsLast Modified:
I have been pulling out my hair for quite a few hours. Have tried to go by whatever examples I could find, but can not figure out what I am doing wrong.

ASA outside interface on Ethernet0/0 has public IP 69.31.183.110
ASA inside interface on Ethernet0/2 has private IPs 10.10.30.254 and 10.10.254.254

I have a web server connected as 10.10.30.1

I would like the web server to use public IP 69.31.183.112

I cannot get the above to work.

The base config is below.

With the config below, the web server has outgoing access to the Internet. I can ping external hosts.

From what I've come across, the NAT rule I should be adding is this:

static (vlan30,outside) 69.31.183.112 10.10.30.1 netmask 255.255.255.255

But the problem is once that is added, nothing works anymore. The web server even loses outgoing access to the Internet. I can't ping external hosts anymore.

Inbound access pinging or accessing http on 69.31.183.112 doesn't work either.

What am I doing wrong?

Thanks for any help in advance...
ASA Version 7.2(2)
!
hostname amfw2
domain-name <domain>
no names
!
interface Ethernet0/0
 description Internet connection
 nameif outside
 security-level 0
 ip address 69.31.183.110 255.255.255.240 standby 69.31.183.111
!
interface Ethernet0/1
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2.30
 description Externally Accessible Servers
 vlan 30
 nameif vlan30
 security-level 30
 ip address 10.10.30.254 255.255.255.0 standby 10.10.30.253
!
interface Ethernet0/2.254
 description Management VLAN
 vlan 254
 nameif vlan254
 security-level 90
 ip address 10.10.254.254 255.255.255.0 standby 10.10.254.253
!
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
 management-only
!
boot system disk0:/asa722-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name <domain>
access-list vlan254_access_in extended permit ip 10.10.254.0 255.255.255.0 any
access-list outside_access_out extended permit ip any any
access-list vlan30_access_in extended permit ip any any
access-list vlan30_access_out extended permit icmp any host 10.10.30.1
access-list vlan30_access_out extended permit tcp any host 10.10.30.1 eq www
access-list vlan30_access_out extended permit ip any any
access-list outside_access_in extended permit icmp any host 69.31.183.112
access-list outside_access_in extended permit tcp any host 69.31.183.112 eq www
access-list vlan254_access_out extended permit ip any any
access-list vlan30_nat_outbound extended permit ip any any
access-list vlan254_nat_outbound extended permit ip any any
access-list remote_vpn_splitTunnelAcl standard permit 10.101.254.0 255.255.255.0
no pager
logging enable
logging timestamp
logging standby
logging emblem
logging list MP-ASA level debugging
logging console emergencies
logging trap debugging
logging history notifications
logging asdm debugging
logging facility 23
logging device-id hostname
logging host outside 66.48.84.26
logging debug-trace
mtu outside 1500
mtu vlan30 1500
mtu vlan254 1500
no failover
monitor-interface vlan254
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (vlan30) 1 access-list vlan30_nat_outbound
nat (vlan254) 1 access-list vlan254_nat_outbound
static (vlan254,vlan30) 10.10.254.0 10.10.254.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group vlan30_access_in in interface vlan30
access-group vlan30_access_out out interface vlan30
access-group vlan254_access_in in interface vlan254
access-group vlan254_access_out out interface vlan254
route outside 0.0.0.0 0.0.0.0 69.31.183.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 vlan254
no snmp-server location
no snmp-server contact
sysopt noproxyarp outside
sysopt noproxyarp vlan254
service resetoutside
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 set peer 204.92.97.14
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map 41 set pfs
crypto map outside_map 41 set peer 209.82.67.67
crypto map outside_map 41 set transform-set ESP-3DES-SHA
crypto map outside_map 41 set security-association lifetime seconds 2419200
crypto map outside_map 41 set security-association lifetime kilobytes 2147483647
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 vlan254
ssh timeout 30
console timeout 30
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect icmp
  inspect http
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:bc0b57cc1c46b9fb0ee8fa872419c502
: end
ASKER CERTIFIED SOLUTION
ISoul

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 9 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 9 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros