Cisco ASA NAT not working

Hi all,

Can anyone help with this NAT rule that refuses to work.

I have an internal device at 192.168.1.50 with a website running on port 47805. I can telnet to the device and access website internally.

I need to access externally via public ip. These are the commands I am using but cant get it working no matter what.
The public ip I am using is one of those available in my block of addresses.

object network InsideServer
host 192.168.1.50
object network ExternalIP
host x.x.x.x

object network InsideServer
nat (INSIDE,OUTSIDE) static ExternalIP

access-list outside_in extended permit tcp any4 object InsideServer eq 47805
blehhhhAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
Nat rule is missing the port of incoming requests to be forwarded to the port on the internal system.
It seems incomplete.
Outside_in is the ACL the line is one of many that is applied to tge outside interface on the.....
arnoldCommented:
What version does your Asa run? 9, 8, ?

See the example from Cisco.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_staticpat.html
blehhhhAuthor Commented:
Im running version 9 and yes arnold outside_in is the acl applied to the outside interface.

Still doesnt work for me though
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

arnoldCommented:
Your mapping is incorrect.  Do you have other mappings.  You nay have defined others such that it precludes this from functioning.

Please look at the Cisco link that includes a descriptive scenario and then the matching configuration.

You are setting up a port address translation which allows multiple services using the same ip to be directed to various internal system to address each service.
I.e. FTP goes to servera
Http goes to Serverb
Mail goes to Serverb,
This could each uses a single ip for all or FTP, http share the same public ip, while mail uses another (incoming/outgoing ip) is important as that is checked in the receiving/outgoing mail.
blehhhhAuthor Commented:
Hi Arnold

I changed the NAT mapping to include the ports like you suggested but still no joy.

Yes I have another NAT rule going to http on standard port and this is working fine. But I am using a different public ip for this one.
arnoldCommented:
Is that other rule match the way your prior was setup?

Add logging option to your rules

Please look at the example in the link it explains what is what.  I only see a portion and trying to guess what might be interfering......

Look at your ACL after you created the mappings, did you change it or is it the same as the obe you originally posted?
blehhhhAuthor Commented:
Here is the other rule, that is working.

object network Web_Int
 host 192.168.1.40
object network Web_Ext
 host y.y.y.y

object network Web_Int
 nat (INSIDE,OUTSIDE) static Web_Ext

access-list outside_in extended permit tcp any4 object Web_Int eq www


I just change to below following link and then both didnt work.
nat (INSIDE,OUTSIDE) static Web_Ext service tcp http http
arnoldCommented:
You are binding the

is y.y.y.y the same x.x.x.x IP as you want to use for the 47850 port RDP?

I am not sure how to say it any clearer, please look at the examples included in the Cisco PAT example in the link posted earlier.  There are three different services that map to

In particular, see the portion http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_staticpat.html#wp1082100


Are you using ASDM, Web interface or command line to configure you ASA?
max_the_kingCommented:
Hi,
please try the following:

replace the following statement:
object network Web_Int
 nat (INSIDE,OUTSIDE) static Web_Ext

in
object network Web_Int
 nat (INSIDE,OUTSIDE) static x.x.x.x

and replace:
access-list outside_in extended permit tcp any4 object InsideServer eq 47805

in
access-list outside_in extended permit tcp any4 host 192.168.1.50 eq 47805

let me know if it works
hope this helps
max
blehhhhAuthor Commented:
Arnold,

Unfortunately I had already tried the method in the link you sent.

I get a message saying "the sytax of nat command has been deprecated."
arnoldCommented:
Which version us on your Asa 9.4? There is a similar example for the version you have.  I think the link is for 9.2. Never mind rechecked the link and it is for 8.2.  Will post the correct link shortly.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
frankhelkCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Accept: arnold (https:#a40969138)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

frankhelk
Experts-Exchange Cleanup Volunteer
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.