We help IT Professionals succeed at work.
Get Started

Cisco ASA Object NAT Issue

JasonPJohnson
on
2,851 Views
Last Modified: 2014-10-15
I can't seem to get my Cisco ASA 5505 to publish a security camera server using static nat and an access rule. I'm not sure why it's not working.

Here is a copy of my running config

Result of the command: "show running"

: Saved
:
ASA Version 9.0(2)
!
hostname ***
domain-name ****
enable password **** encrypted
passwd **** encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.21.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 0.0.0.0 255.255.255.0
!
banner motd
banner motd
banner motd Authorized Users Only
banner motd This System Is For the Use of Authorized users only.
boot system disk0:/asa902-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 172.20.100.3
 name-server 172.20.100.4
 domain-name ******
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network WAN_Address
 host 0.0.0.1
object service Camera_Web
 service tcp source eq 8000
object network obj-cam_server
 host 172.21.1.100
access-list outside_access_in extended permit tcp any object obj-cam_server eq 8000
access-list inside_access_in extended permit ip any any log disable
pager lines 24
logging enable
logging timestamp
logging buffered warnings
logging trap warnings
logging history warnings
logging asdm warnings
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any outside
asdm image disk0:/asdm-712-102.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
 nat (inside,outside) dynamic interface
object network obj-cam_server
 nat (inside,outside) static 0.0.0.1
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 **ISP NEXT HOP*** 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 172.20.104.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
 crl configure
crypto ca trustpool policy
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
vpnclient server ******
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup **** password *****
vpnclient username **** password *****
vpnclient management tunnel 10.0.0.0 255.0.0.0 172.16.0.0 255.240.0.0 192.168.0.0 255.255.0.0
vpnclient enable
dhcpd address 172.21.1.20-172.21.1.51 inside
dhcpd dns 8.8.8.8 4.2.2.1 interface inside
dhcpd domain ***** interface inside
dhcpd enable inside
!
no threat-detection basic-threat
no threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
username ***** password ***** encrypted privilege 15
!
class-map inspection_de
class-map inspection_default
!
!
policy-map global_policy
 class inspection_default
  inspect icmp
!
prompt hostname context
call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:****
: end
Comment
Watch Question
This problem has been solved!
Unlock 1 Answer and 22 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE