Solved

Command line in Cisco ASA

Posted on 2011-02-18
12
864 Views
Last Modified: 2012-05-11
Hello, I have a problem with Cisco ASA 5505 with this software version:
adsm version 6.3(1)
asa version 8.3(1)

Now in "tool --> command line interface" I have send this command:
#static (inside,outside) tcp interface www 192.168.1.1 www netmask 255.255.255.255

the command send is succesfully, then "save running configuration to flash" but in running configuration (and also in startup configuration) there isn't this nat command !!
is very strange !
Thanks.

-
 Salvatore.
0
Comment
Question by:sasapix
  • 5
  • 3
  • 2
  • +2
12 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 34927023
what do you see if you send the command (no quotes) "copy run start" instead of the GUI option?
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 200 total points
ID: 34927044
As per version 8.3 NAT and statics have changed, I think that is the issue.

have a look at: http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp83968 for the new commands.
0
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 150 total points
ID: 34927050
Hi,

there is new command for static on 8.3.1:

so you need:
object network obj-192.168.1.1
 host 192.168.1.1
access-list inbound extended permit tcp any object obj-192.168.1.1 eq www
object network obj-192.168.1.1
 nat (inside,outside) static interface service tcp www www

for more information:
http://www.petenetlive.com/KB/Article/0000247.htm
0
Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

 

Author Comment

by:sasapix
ID: 34927173
therefore in:

nat (inside,outside) static interface service tcp www www

there ins't indicated the host destination ?
Thanks.

-
 Salvatore.
0
 

Author Comment

by:sasapix
ID: 34927383
when run:
with firt and second command is all ok but I have problem with commando:

host 192.168.1.1

Result of the command: "host 192.168.1.1"
host 192.168.1.1
^
ERROR: % Invalid input detected at '^' marker.

the syntax is incorrect ?
Thanks.

-
 Salvatore.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 34927542
network-object host 192.168.1.1
0
 
LVL 33

Assisted Solution

by:MikeKane
MikeKane earned 150 total points
ID: 34927555
>>Result of the command: "host 192.168.1.1"
>>host 192.168.1.1
>>^
>>ERROR: % Invalid input detected at '^' marker.

This is because the host command MUST follow the
object network obj-192.168.1.1


0
 

Author Comment

by:sasapix
ID: 34927622
Sorry but I do not understand how can I run the command ! :-(


network-object host 192.168.1.1 host 192.168.1.1

??
Thanks.

-
 Salvatore.
0
 
LVL 33

Assisted Solution

by:MikeKane
MikeKane earned 150 total points
ID: 34927797
Its 2 separate lines.  

object network obj-192.168.1.1
 host 192.168.1.1

You are creating the object called "obj-192.168.1.1", then you are defining what's in it with " host 192.168.1.1"

0
 

Author Comment

by:sasapix
ID: 34941597
I am able to enter commands requested but in the log when I try access I have this:

4      Feb 21 2011      01:40:35      106023      ip_external 49881
192.168.1.1      80      Deny tcp src outside:ip_external/49881 dst
inside:192.168.1.1/80 by access-group "outside_access_in" [0x0, 0x0]

but in cisco configuration I have:

access-list outside_access_in extended permit object 80 any object obj-192.168.1.1

I must insert another access-list ??
Thanks.

-
 Salvatore.

0
 
LVL 33

Assisted Solution

by:MikeKane
MikeKane earned 150 total points
ID: 34943256
192.168.1.1 is the inside IP that you Port Forward WWW from the outside interface IP.    When traffic comes into the ASA, you should allow it to hit the "Outside interface"   Not the NAT'd internal interface.    THat is the issue.  

Change the outside_access_in to allow port 80 to the "outside interface IP"
0
 

Author Comment

by:sasapix
ID: 34943414
I have add:

access-list outside_access_in extended permit tcp any object obj-192.168.1.1 object-group www

and now is ok !.
Thanks.

-
 Salvatore.
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question