Hello everyone, I am a newbie and I have a lab like this: I can't Publish this Web Server to Outside. I hope everyone helps me, please. Thank you very much. During the discussion, I sincerely apologize for my English and my knowledge.
First of all: Yes, this question would be better placed in the CCNA Security Group.
Now to your question: Why do you make NAT on the router? The ASA can do NAT much better and more flexible than an IOS router.
So my suggestion would be t remove the 2911 router completely from your topology and connect the outside interface of your ASA directly to the ethernet line to the ISP. In this case, the outside interface of your ASA will have ip address 18.104.22.168/29 and its default-gateway would be the ip address of the ISP router (which you have not provided in your provided information).
Btw.: it would have been better, if you would have specified that ip address also in the default route of your router, if you really want to include that router in your topology, because it is very bad practice to let the default-route only to an ethernet interface without specifying an ip next-hop address ... If you only specify the interface and no ip next-hop, the configuration will rely on enabled proxy-arp on the ISP router, and you shouldn't rely on that, because the ISP router is not under your administration ... Another disadvantage would be, that with your configuration, the arp table of your 2911 router will be filled up unnecessarily with internet ip addresses. If you specify the ISP ip address as ip next-hop, you will instead only have the ISP ip address as arp entry for interface Gi0/1. This part about specifying default-route always with specifying ip next-hop address (if possible), may be part of CCNA R&S knowledge.
Now my suggestion for the ASA configuration (only the relevant parts and without the default-route, because you haven't told the ISP ip address, which i would need for specifying the default-route on the ASA.
nat (outside,DMZ) source static any any destination static WebServerOutside WebServerInside unidirectional
object network DMZ
subnet 22.214.171.124 255.255.255.0
nat (DMZ,Outside) dynamic interface
object network WebServerInside
object network WeberverOutside
object network InsideSupernet
subnet 10.1.0.0 255.255.0.0
nat (inside,outside) dynamic interface
access-list from-outside extended permit tcp any object WebServerInside eq 80
access-list from-outside extended permit icmp any object WebServerInside
access-group from-outside in interface Outside
route Inside 10.1.10.0 255.255.255.0 10.1.70.1
route Inside 10.1.20.0 255.255.255.0 10.1.70.1
route Inside 10.1.30.0 255.255.255.0 10.1.70.1
route Inside 10.1.40.0 255.255.255.0 10.1.70.1
route Inside 10.1.50.0 255.255.255.0 10.1.70.1
route Inside 10.1.60.0 255.255.255.0 10.1.70.1
Static nat rules are bidirectional by default, but since i used the keyword "unidirectional" for the access to the webserver from outside, it would even be possible to use "interface" instead of "WebServerOutside", so that every connection from outside to the ip address of the outside interface of the ASA will be redirected to your webserver in the DMZ.
I hope, this answer (with removing 2911 router from the topology) will be helpful for you. But even if you want to leave the 2911 router in your topology, you can (with a configuration similar to my suggestion) realize the configuration of nat on 2911 with only static NAT without PAT.
What i forgot to mention (even if i corrected that point in my suggestion of a different topology):
Sinc ASA firmware 8.3 you have to specify in ACLs the "real dstination" of a packet. Even if the packet was destined to the "outside nat addres", you have to specify the "inside address of your webserver" in the permit statement in your ACL. So in your current configuration, you have to change:
access-list out_to_dmz extended permit tcp any host 126.96.36.199 eq www
access-list out_to_dmz extended permit any host 172.24.46.2 eq www
I'm glad, that i could help. Why did you isert the router in your design? Was it, because you didn't know about all the cool nat possibilities of a cisco ASA (which are much more, than the nat possiobilities of an IOS router)? Or did you use the router as "media converter", because the ASA5505 has fastethernet ports only, and if the line towards ISP is gigabit only (in that case, i would prefer to use a switch instead of a router)?
Just for the records: If you remove the keyword unidirection from the nat rule for the webserver, outgoing traffic from your webserver will also be natted behind the "outside nat address" of the webserver and not behind the outside interface ip of the ASA (like with the unidirectional keyword). But in that case, you really need a separate "outside ip" for the webserver, and you can't use the outside interface ip address for both: dynamic nat for the inside networks and static nat for making the webserver accessible from the internet at the same time.
If you want to make more than one service accessible from the internet, which run on different servers, you may restrict the twice nat rule for the webserver one service and add also such nat rules for the other services:
object service HTTP
service tcp destination eq www
object service SMTP
service tcp destination eq smtp
object service POP3
service tcp destination eq pop3
object service IMAP4
service tcp destination eq imap4
nat (outside,DMZ) source static any any destination static WebServerOutside WebServerInside service HTTP HTTP unidirectional
nat (outside,DMZ) source static any any destination static MailServerOutside WebServerInside service SMTP SMTP unidirectional
nat (outside,DMZ) source static any any destination static MailServerOutside WebServerInside service POP3 POP3 unidirectional
nat (outside,DMZ) source static any any destination static MailServerOutside WebServerInside service IMAP4 IMAP4 unidirectional
And it would be nice, if you mark my answer as helpful or correct, if it was helpful for you, thanks.