Solved

Command line in Cisco ASA

Posted on 2011-02-18
12
845 Views
Last Modified: 2012-05-11
Hello, I have a problem with Cisco ASA 5505 with this software version:
adsm version 6.3(1)
asa version 8.3(1)

Now in "tool --> command line interface" I have send this command:
#static (inside,outside) tcp interface www 192.168.1.1 www netmask 255.255.255.255

the command send is succesfully, then "save running configuration to flash" but in running configuration (and also in startup configuration) there isn't this nat command !!
is very strange !
Thanks.

-
 Salvatore.
0
Comment
Question by:sasapix
  • 5
  • 3
  • 2
  • +2
12 Comments
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
what do you see if you send the command (no quotes) "copy run start" instead of the GUI option?
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 200 total points
Comment Utility
As per version 8.3 NAT and statics have changed, I think that is the issue.

have a look at: http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp83968 for the new commands.
0
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 150 total points
Comment Utility
Hi,

there is new command for static on 8.3.1:

so you need:
object network obj-192.168.1.1
 host 192.168.1.1
access-list inbound extended permit tcp any object obj-192.168.1.1 eq www
object network obj-192.168.1.1
 nat (inside,outside) static interface service tcp www www

for more information:
http://www.petenetlive.com/KB/Article/0000247.htm
0
 

Author Comment

by:sasapix
Comment Utility
therefore in:

nat (inside,outside) static interface service tcp www www

there ins't indicated the host destination ?
Thanks.

-
 Salvatore.
0
 

Author Comment

by:sasapix
Comment Utility
when run:
with firt and second command is all ok but I have problem with commando:

host 192.168.1.1

Result of the command: "host 192.168.1.1"
host 192.168.1.1
^
ERROR: % Invalid input detected at '^' marker.

the syntax is incorrect ?
Thanks.

-
 Salvatore.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
Comment Utility
network-object host 192.168.1.1
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 33

Assisted Solution

by:MikeKane
MikeKane earned 150 total points
Comment Utility
>>Result of the command: "host 192.168.1.1"
>>host 192.168.1.1
>>^
>>ERROR: % Invalid input detected at '^' marker.

This is because the host command MUST follow the
object network obj-192.168.1.1


0
 

Author Comment

by:sasapix
Comment Utility
Sorry but I do not understand how can I run the command ! :-(


network-object host 192.168.1.1 host 192.168.1.1

??
Thanks.

-
 Salvatore.
0
 
LVL 33

Assisted Solution

by:MikeKane
MikeKane earned 150 total points
Comment Utility
Its 2 separate lines.  

object network obj-192.168.1.1
 host 192.168.1.1

You are creating the object called "obj-192.168.1.1", then you are defining what's in it with " host 192.168.1.1"

0
 

Author Comment

by:sasapix
Comment Utility
I am able to enter commands requested but in the log when I try access I have this:

4      Feb 21 2011      01:40:35      106023      ip_external 49881
192.168.1.1      80      Deny tcp src outside:ip_external/49881 dst
inside:192.168.1.1/80 by access-group "outside_access_in" [0x0, 0x0]

but in cisco configuration I have:

access-list outside_access_in extended permit object 80 any object obj-192.168.1.1

I must insert another access-list ??
Thanks.

-
 Salvatore.

0
 
LVL 33

Assisted Solution

by:MikeKane
MikeKane earned 150 total points
Comment Utility
192.168.1.1 is the inside IP that you Port Forward WWW from the outside interface IP.    When traffic comes into the ASA, you should allow it to hit the "Outside interface"   Not the NAT'd internal interface.    THat is the issue.  

Change the outside_access_in to allow port 80 to the "outside interface IP"
0
 

Author Comment

by:sasapix
Comment Utility
I have add:

access-list outside_access_in extended permit tcp any object obj-192.168.1.1 object-group www

and now is ok !.
Thanks.

-
 Salvatore.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
CISCO refresh sheets 2 32
ASA Shunning internal IP 10 30
Simple Guest VLAN Help 17 32
startup config modification 1 9
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now