Thanks for your help.

When I run the nat statements the following is returned, I am not onsite with the device so having to send the commands from the CLI in the ASDM.

Result of the command: "nat (inside, outside) source static InfoExchange_Internal InfoExchange_Ext service https https"

nat (inside, outside) source static InfoExchange_Internal InfoExchange_Ext servi            ^ce https https

ERROR: % Invalid input detected at '^' marker.

Result of the command: "nat (inside, outside) source static InfoExchange_Internal InfoExchange_Ext service tcp http http"

nat (inside, outside) source static InfoExchange_Internal InfoExchange_Ext servi            ^ce tcp http http

ERROR: % Invalid input detected at '^' marker.

Yeah sorry it was a space infront of "outside".

nat (inside,outside) source static InfoExchange_Internal InfoExchange_Ext service http http
nat (inside,outside) source static InfoExchange_Internal InfoExchange_Ext service https https

Also I saw now that your service object is wrong. So remove the service objects "http" and "https" and add these:

object service http
 service tcp destination eq www
object service https
 service tcp destination eq https

Updated the service objects and created the NAT rules and updated the ACL but am still not able to access the server. Here is the current config. Thanks for the help.

: Saved

:

ASA Version 9.0(4)

!

hostname ciscoasa

enable password xxxxxxxxxxxxxxxxx encrypted

names

ip local pool VPNPool 10.200.59.10-10.200.59.35 mask 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.200.58.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 50.xxx.xxx.249 255.255.255.248

!

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network NETWORK_OBJ_10.200.58.0_24

subnet 10.200.58.0 255.255.255.0

object network NETWORK_OBJ_10.200.59.0_26

subnet 10.200.59.0 255.255.255.192

object network InfoExchange_Internal

host 10.200.58.6

object service http

service tcp destination eq www

description Http

object service https

service tcp destination eq https

description https

object network InfoExchange_Ext

host 50.xxx.xxx.251

object network Outside_IPs

range 50.xxx.xxx.249 50.xxx.xxx.253

access-list XXXX_splitTunnelAcl standard permit 10.200.58.0 255.255.255.0

access-list outside_access_in extended permit tcp object InfoExchange_Ext object InfoExchange_Internal eq www

access-list outside_access_in extended permit object https object InfoExchange_Ext object InfoExchange_Internal

access-list outside_access_in extended permit tcp any object InfoExchange_Internal eq www

access-list outside_access_in extended permit tcp any object InfoExchange_Internal eq https

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static NETWORK_OBJ_10.200.58.0_24 NETWORK_OBJ_10.200.58.0_24 destination static NETWORK_OBJ_10.200.59.0_26 NETWORK_OBJ_10.200.59.0_26 no-proxy-arp route-lookup

nat (inside,outside) source static InfoExchange_Internal InfoExchange_Ext service http http

nat (inside,outside) source static InfoExchange_Internal InfoExchange_Ext service https https

!

object network obj_any

nat (inside,outside) dynamic interface

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 50.xxx.xxx.254 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable 4433

http 192.168.1.0 255.255.255.0 inside

http 10.200.58.0 255.255.255.0 inside

http 10.200.59.0 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca trustpool policy

crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

.....

6c2527b9 deb78458 c61f381e a4c4cb66

quit

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy XXXX internal

group-policy XXXX attributes

dns-server value 10.200.58.15 8.8.8.8

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value XXXX_splitTunnelAcl

username xxxxxx password xxxxxxxxxxxxx encrypted privilege 0

username xxxxx attributes

vpn-group-policy XXXX

username xxxxxxx password xxxxxxxxxxxxxxxencrypted privilege 0

username xxxxxxxattributes

vpn-group-policy XXXX

tunnel-group XXXX type remote-access

tunnel-group XXXX general-attributes

address-pool VPNPool

default-group-policy XXXX

tunnel-group XXXX ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous

Cryptochecksum:1b852966651e699eb81fa4754daa4ef3

: end

no asdm history enable

Can you post the output of -

1) "packet-tracer input outside tcp 8.8.8.8 12345 50.x.x.251 http"

2) "sh nat"

Jon

Here are the results, thanks

Result of the command: "packet-tracer input outside tcp 8.8.8.8 12345 50.xxx.xxx.251 http"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   50.xxx.xxx.248  255.255.255.248 outside

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate

Result of the command: "sh nat"

Manual NAT Policies (Section 1)
1 (inside) to (outside) source static NETWORK_OBJ_10.200.58.0_24 NETWORK_OBJ_10.200.58.0_24   destination static NETWORK_OBJ_10.200.59.0_26 NETWORK_OBJ_10.200.59.0_26 no-proxy-arp route-lookup
    translate_hits = 5, untranslate_hits = 5
2 (inside) to (outside) source static InfoExchange_Internal InfoExchange_Ext   service http http
    translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source static InfoExchange_Internal InfoExchange_Ext   service https https
    translate_hits = 11, untranslate_hits = 11

Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic obj_any interface 
    translate_hits = 27798, untranslate_hits = 882

It seems to be ignoring the NAT entry and moving on to the dynamic entry.

Can you post output of -

"packet-tracer outside input tcp 8.8.8.8 12345 50.x.x.251 https"

by the way, in your last post you showed the whole public IP. Can you edit that as you don't want that on a public forum.

Jon

Result of the command: "packet-tracer outside input tcp 8.8.8.8 12345 50.xxx.xxx.251 https"

packet-tracer outside input tcp 8.8.8.8 12345 50.xxx.xxx.251 https
              ^
ERROR: % Invalid input detected at '^' marker.

Thanks for the reminder about the IP, I meant to redact that before posting.

Sorry I got the outside and input the wrong way round -

"packet-tracer input outside tcp 8.8.8.8 12345 50.x.x.251 https"

Jon

Thanks,

Result of the command: "packet-tracer input outside tcp 8.8.8.8 12345 50.xxx.xxx.251 https"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   50.xxx.xxx.248  255.255.255.248 outside

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate

It doesn't seem to be hitting the static translations.

Can you try -

1) clear the xlate table

2) save the config and run packet-tracer command again.

No need to post output just tell me whether you see the same.

While you are doing that I will rewrite your NAT statements and we will try something different.

Jon

Thanks Jon, I cleared the xlate table and re-ran the packet tracer with the same result.

Jon, I corrected the external IP from 241 to 251, a couple of the commands threw errors, see below.

Result of the command: "no nat (inside,outside) source static InfoExchange_Internal InfoExchange_Ext service http http"

The command has been sent to the device

Result of the command: "no nat (inside,outside) source static InfoExchange_Internal InfoExchange_Ext service https https"

The command has been sent to the device

Result of the command: "no nat(inside,outside) dynamic interface"

no nat(inside,outside) dynamic interface
      ^
ERROR: % Invalid input detected at '^' marker.

Result of the command: "nat (inside,outside) after-auto source dynamic obj-any interface"

ERROR: obj-any doesn't match an existing object or object-group

Result of the command: "object network InfoExchange_Internal"

The command has been sent to the device

Result of the command: "nat (inside,outside) static 50.xxx.xxx.251 service tcp http http"

The command has been sent to the device

Result of the command: "object network InfoExchange_Internal"

The command has been sent to the device

Result of the command: "host 10.200.58.6"

The command has been sent to the device

Result of the command: "nat (inside,outside) static 50.xxx.xxx.251 service tcp https https"

The command has been sent to the device