?
Solved

Command line in Cisco ASA

Posted on 2011-02-18
12
Medium Priority
?
879 Views
Last Modified: 2012-05-11
Hello, I have a problem with Cisco ASA 5505 with this software version:
adsm version 6.3(1)
asa version 8.3(1)

Now in "tool --> command line interface" I have send this command:
#static (inside,outside) tcp interface www 192.168.1.1 www netmask 255.255.255.255

the command send is succesfully, then "save running configuration to flash" but in running configuration (and also in startup configuration) there isn't this nat command !!
is very strange !
Thanks.

-
 Salvatore.
0
Comment
Question by:sasapix
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +2
12 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 34927023
what do you see if you send the command (no quotes) "copy run start" instead of the GUI option?
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 800 total points
ID: 34927044
As per version 8.3 NAT and statics have changed, I think that is the issue.

have a look at: http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp83968 for the new commands.
0
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 600 total points
ID: 34927050
Hi,

there is new command for static on 8.3.1:

so you need:
object network obj-192.168.1.1
 host 192.168.1.1
access-list inbound extended permit tcp any object obj-192.168.1.1 eq www
object network obj-192.168.1.1
 nat (inside,outside) static interface service tcp www www

for more information:
http://www.petenetlive.com/KB/Article/0000247.htm
0
Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

 

Author Comment

by:sasapix
ID: 34927173
therefore in:

nat (inside,outside) static interface service tcp www www

there ins't indicated the host destination ?
Thanks.

-
 Salvatore.
0
 

Author Comment

by:sasapix
ID: 34927383
when run:
with firt and second command is all ok but I have problem with commando:

host 192.168.1.1

Result of the command: "host 192.168.1.1"
host 192.168.1.1
^
ERROR: % Invalid input detected at '^' marker.

the syntax is incorrect ?
Thanks.

-
 Salvatore.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 34927542
network-object host 192.168.1.1
0
 
LVL 33

Assisted Solution

by:MikeKane
MikeKane earned 600 total points
ID: 34927555
>>Result of the command: "host 192.168.1.1"
>>host 192.168.1.1
>>^
>>ERROR: % Invalid input detected at '^' marker.

This is because the host command MUST follow the
object network obj-192.168.1.1


0
 

Author Comment

by:sasapix
ID: 34927622
Sorry but I do not understand how can I run the command ! :-(


network-object host 192.168.1.1 host 192.168.1.1

??
Thanks.

-
 Salvatore.
0
 
LVL 33

Assisted Solution

by:MikeKane
MikeKane earned 600 total points
ID: 34927797
Its 2 separate lines.  

object network obj-192.168.1.1
 host 192.168.1.1

You are creating the object called "obj-192.168.1.1", then you are defining what's in it with " host 192.168.1.1"

0
 

Author Comment

by:sasapix
ID: 34941597
I am able to enter commands requested but in the log when I try access I have this:

4      Feb 21 2011      01:40:35      106023      ip_external 49881
192.168.1.1      80      Deny tcp src outside:ip_external/49881 dst
inside:192.168.1.1/80 by access-group "outside_access_in" [0x0, 0x0]

but in cisco configuration I have:

access-list outside_access_in extended permit object 80 any object obj-192.168.1.1

I must insert another access-list ??
Thanks.

-
 Salvatore.

0
 
LVL 33

Assisted Solution

by:MikeKane
MikeKane earned 600 total points
ID: 34943256
192.168.1.1 is the inside IP that you Port Forward WWW from the outside interface IP.    When traffic comes into the ASA, you should allow it to hit the "Outside interface"   Not the NAT'd internal interface.    THat is the issue.  

Change the outside_access_in to allow port 80 to the "outside interface IP"
0
 

Author Comment

by:sasapix
ID: 34943414
I have add:

access-list outside_access_in extended permit tcp any object obj-192.168.1.1 object-group www

and now is ok !.
Thanks.

-
 Salvatore.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month13 days, 17 hours left to enroll

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question