I am trying to setup NAT translation on a ASA 5505, however the new public IP address never actually becomes available after adding it. I'm sure I'm doing something stupid, but so far the problem has eluded me. Basically, I'm trying to map XX.XX.115.195 => 192.168.125.7. XX.XX.115.194 is the public IP of the firewall, and it is accessible, but 115.195 never seems to get picked up. I inherited the original configuration so it is possible that one of the other rules is preventing this from happening. I've included what I believe are the relevant sections below.
Below is the specific rule I added. I've confirmed I'm able to reach the 125.7 server from inside the firewall on the usual ports and protocols, but from the outside the public 115.195 does not respond to anything.
static (outside,inside) 192.168.125.7 XX.XX.115.195 netmask 255.255.255.255
ASA Version 7.2(4) ! interface Vlan1 nameif inside security-level 100 ip address 192.168.125.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address XX.XX.115.194 255.255.255.248 ! access-list outside-in extended permit tcp any host XX.XX.115.194 eq 44000 access-list outside-in extended permit tcp any host XX.XX.115.194 eq https access-list outside-in extended permit tcp any host XX.XX.115.194 eq 4000 access-list inside_nat0_outbound extended permit ip any 192.168.125.192 255.255.255.192 nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface 44000 192.168.125.15 44000 netmask 255.255.255.255 static (inside,outside) tcp interface https 192.168.125.15 https netmask 255.255.255.255 static (inside,outside) tcp interface 4000 192.168.125.15 4000 netmask 255.255.255.255 static (outside,inside) 192.168.125.7 XX.XX.115.195 netmask 255.255.255.255 access-group outside-in in interface outside
Best Answer
You have your NAT statement flipped... it should be
After doing this, your ACLs need to permit inbound traffic