Static NAT problems on ASA 8.2

C

cymon

Limp Gawd
Joined
Apr 16, 2009
Messages
453
Hello all,

I am trying to get a static NAT translation working on the ASA 8.2.

Here is the actual static command:

static (outside,inside) 10.0.50.238 x.y.158.238 netmask 255.255.255.255 tcp 1000 100

the access list allowing traffic to the server:

access-list outside_access_in line 2 extended permit ip any host x.y.158.238 (hitcnt=2) 0xb2ef3a06

access-list outside_access_in line 26 extended permit ip any host 10.0.50.238 (hitcnt=0) 0x377a2797

The machine itself runs IPTables locally, so i don't do any firewalling on the ASA.

When I try and connect via SSH, the connection simply times out. Furthermore, I notice this from the output of sh nat:

NAT policies on Interface outside:
match ip outside host x.y.158.238 inside any
static translation to 10.0.50.238
translate_hits = 0, untranslate_hits = 0
 
Also, I dont have any issues accessing the Internet from that server, so it's not a general connectivity issue. PAT going outbound is fine.
 
Here is the configuration guide from Cisco just to start out : http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_static.html

Take a quick peak through that and you will probably see whats wrong.

As for the SSH problem, are you trying to hit the ASA using SSH from the inside or outside of your ASA? Do you have the ASA configured to allow connections? IE if you do a sh run ssh do you have your IP address/es or all IP's allowed to SSH via the Outside or Inside interfaces?
 
I'm trying to have static NAT configured so I can access ssh and http on the server (10.0.50.237) via its public IP address (x.y.158.238).

For this host, I want to have a static translation, independent of port numbers. The host is running iptables (and it lives in an isolated subnet) so I'm fine with using permit ip any on the ASA.

I'm not trying to ssh into the ASA - currently all remote administration on the ASA is disabled. After I get this static NAT figured out, I'm building a dedicated management network for remote admin.

This right now is just a test server - once I get this sorted out, then I'll be bringing our main public facing server behind the static nat translation.
 
You need something like this:

static (inside,outside) tcp x.y.158.238 22 10.0.50.238 22 netmask 255.255.255.255
static (inside,outside) tcp x.y.158.238 80 10.0.50.238 80 netmask 255.255.255.255
 
You must log in or register to reply here.
Back
Top