Solved

Command line in Cisco ASA

Posted on 2011-02-18
12
856 Views
Last Modified: 2012-05-11
Hello, I have a problem with Cisco ASA 5505 with this software version:
adsm version 6.3(1)
asa version 8.3(1)

Now in "tool --> command line interface" I have send this command:
#static (inside,outside) tcp interface www 192.168.1.1 www netmask 255.255.255.255

the command send is succesfully, then "save running configuration to flash" but in running configuration (and also in startup configuration) there isn't this nat command !!
is very strange !
Thanks.

-
 Salvatore.
0
Comment
Question by:sasapix
  • 5
  • 3
  • 2
  • +2
12 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 34927023
what do you see if you send the command (no quotes) "copy run start" instead of the GUI option?
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 200 total points
ID: 34927044
As per version 8.3 NAT and statics have changed, I think that is the issue.

have a look at: http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp83968 for the new commands.
0
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 150 total points
ID: 34927050
Hi,

there is new command for static on 8.3.1:

so you need:
object network obj-192.168.1.1
 host 192.168.1.1
access-list inbound extended permit tcp any object obj-192.168.1.1 eq www
object network obj-192.168.1.1
 nat (inside,outside) static interface service tcp www www

for more information:
http://www.petenetlive.com/KB/Article/0000247.htm
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:sasapix
ID: 34927173
therefore in:

nat (inside,outside) static interface service tcp www www

there ins't indicated the host destination ?
Thanks.

-
 Salvatore.
0
 

Author Comment

by:sasapix
ID: 34927383
when run:
with firt and second command is all ok but I have problem with commando:

host 192.168.1.1

Result of the command: "host 192.168.1.1"
host 192.168.1.1
^
ERROR: % Invalid input detected at '^' marker.

the syntax is incorrect ?
Thanks.

-
 Salvatore.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 34927542
network-object host 192.168.1.1
0
 
LVL 33

Assisted Solution

by:MikeKane
MikeKane earned 150 total points
ID: 34927555
>>Result of the command: "host 192.168.1.1"
>>host 192.168.1.1
>>^
>>ERROR: % Invalid input detected at '^' marker.

This is because the host command MUST follow the
object network obj-192.168.1.1


0
 

Author Comment

by:sasapix
ID: 34927622
Sorry but I do not understand how can I run the command ! :-(


network-object host 192.168.1.1 host 192.168.1.1

??
Thanks.

-
 Salvatore.
0
 
LVL 33

Assisted Solution

by:MikeKane
MikeKane earned 150 total points
ID: 34927797
Its 2 separate lines.  

object network obj-192.168.1.1
 host 192.168.1.1

You are creating the object called "obj-192.168.1.1", then you are defining what's in it with " host 192.168.1.1"

0
 

Author Comment

by:sasapix
ID: 34941597
I am able to enter commands requested but in the log when I try access I have this:

4      Feb 21 2011      01:40:35      106023      ip_external 49881
192.168.1.1      80      Deny tcp src outside:ip_external/49881 dst
inside:192.168.1.1/80 by access-group "outside_access_in" [0x0, 0x0]

but in cisco configuration I have:

access-list outside_access_in extended permit object 80 any object obj-192.168.1.1

I must insert another access-list ??
Thanks.

-
 Salvatore.

0
 
LVL 33

Assisted Solution

by:MikeKane
MikeKane earned 150 total points
ID: 34943256
192.168.1.1 is the inside IP that you Port Forward WWW from the outside interface IP.    When traffic comes into the ASA, you should allow it to hit the "Outside interface"   Not the NAT'd internal interface.    THat is the issue.  

Change the outside_access_in to allow port 80 to the "outside interface IP"
0
 

Author Comment

by:sasapix
ID: 34943414
I have add:

access-list outside_access_in extended permit tcp any object obj-192.168.1.1 object-group www

and now is ok !.
Thanks.

-
 Salvatore.
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now