ASA Bridge Group with simple NAT issue (v9.8)

I am not fully diverse in Cisco ver 9.8 using Nat with Bridge groups. I have 1 DVR on the inside. I want to NAT port 80 and 8000 from the outside to the DVR (10.10.20.45-inside) using an external ip, lets say 74.95.173.90 I cannot even get port 80 to map to the inside DVR.
I added extra access-statements in my troubleshooting, unsure if it was inside ip or outside ip, so I have both for now.
What am I missing?


interface GigabitEthernet1/1
 description Comcast
 nameif outside
 security-level 0
 ip address 74.95.173.89 255.255.255.248
!
interface GigabitEthernet1/2
 bridge-group 1
 nameif inside_1
 security-level 100
!
interface GigabitEthernet1/3
 bridge-group 1
 nameif inside_2
 security-level 100
!
interface GigabitEthernet1/4
 bridge-group 1
 nameif inside_3
 security-level 100
!
interface GigabitEthernet1/5
 bridge-group 1
 nameif inside_4
 security-level 100
!
interface GigabitEthernet1/6
 bridge-group 1
 nameif inside_5
 security-level 100
!
interface GigabitEthernet1/7
 bridge-group 1
 nameif inside_6
 security-level 100
!
interface GigabitEthernet1/8
 bridge-group 1
 nameif inside_7
 security-level 100
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
interface BVI1
 nameif inside
 security-level 100
 ip address 10.10.20.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
object network obj_any1
 subnet 0.0.0.0 0.0.0.0
object network obj_any2
 subnet 0.0.0.0 0.0.0.0
object network obj_any3
 subnet 0.0.0.0 0.0.0.0
object network obj_any4
 subnet 0.0.0.0 0.0.0.0
object network obj_any5
 subnet 0.0.0.0 0.0.0.0
object network obj_any6
 subnet 0.0.0.0 0.0.0.0
object network obj_any7
 subnet 0.0.0.0 0.0.0.0
object network DVR
 host 10.10.20.45
access-list outside_access_in extended deny ip any any log
access-list outside_access_in extended permit tcp any host 74.95.173.90 eq www
access-list outside_access_in extended permit tcp any host 10.10.20.45 eq www
access-list outside_access_in extended permit tcp any any eq www
access-list outside_access_in extended permit icmp any host 74.95.173.90
access-list outside_access_in extended permit icmp any host 10.10.20.45
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any2
 nat (inside_2,outside) dynamic interface
object network obj_any3
 nat (inside_3,outside) dynamic interface
object network obj_any4
 nat (inside_4,outside) dynamic interface
object network obj_any5
 nat (inside_5,outside) dynamic interface
object network obj_any6
 nat (inside_6,outside) dynamic interface
object network obj_any7
 nat (inside_7,outside) dynamic interface
object network DVR
 nat (inside_1,outside) static 74.95.173.90
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.xxx.xx
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.1.0 255.255.255.0 inside_6
http 192.168.1.0 255.255.255.0 inside_7
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside_2
ssh 0.0.0.0 0.0.0.0 inside_3
ssh 0.0.0.0 0.0.0.0 inside_5
ssh 0.0.0.0 0.0.0.0 inside_6
ssh 0.0.0.0 0.0.0.0 inside_7
ssh timeout 20
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 208.67.222.222 1.1.1.1
!
dhcpd address 10.10.20.50-10.10.20.150 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:8b8ff7e10c5ad8eaac4cb9e290f5d6d8
: end
BKennedy2008Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Gary PattersonVP Technology / Senior Consultant Commented:
I haven't ever configured this, but I'd think you'd nat BVI1, not the member interfaces.
0
Pete LongTechnical ConsultantCommented:
I really don't like bridge groups! See my comments below
Cisco ASA 5506-X: Bridged BVI Interface

Jesus! let's just get rid of this a second

!
no access-list outside_access_in extended deny ip any any log
!

And get rid of these, we are using modern NAT

!
no access-list outside_access_in extended permit tcp any host 74.95.173.90 eq www
no access-list outside_access_in extended permit icmp any host 74.95.173.90
!

You look like you have forgotten this

!
access-list outside_access_in extended permit tcp any host 10.10.20.45 eq 8000
!

THEN MAKE SURE your DVR is plugged into Ethernet 1/2 because of this.....

object network DVR
 nat (inside_1,outside) static 74.95.173.90


You should be good to go, or simply follow my fist link and set it up like a proper firewall!
If you want to put your global deny back in then please do so, but theres no need.

Pete
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BKennedy2008Author Commented:
You are absolutely right on the money, I did leave the bridge group in and had it plugged into the inside_1 interface. However, I am not going to use bridge groups on my other offices, now that I know. Thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASA

From novice to tech pro — start learning today.