ASA 5510 v7.2.2 PAT and static PAT using one IP address

hani_altaher · ‎05-16-2007

Dear ALL

i have configured ASA 5510 v7.2.2 for PAT (for brwosing and accessing internet for local users),and also static PAT for Mail Server (MSexchange)to access their Mail server (static PAT for smtp,pop3,http,https) using only one real IP address for both PAT and static PAT, the internal users browsing & accessing internet normally but the problrem static PAT works only for SMTP,HTTP, and https and did not work for POP3 i made static PAT for POP3 and add ACL for POP3 in outside interface as i did for SMTP,HTTP, and HTTPS.

kindest Regards

vitripat · ‎05-17-2007

There aren't any known issues with POP3 using interface IP as static pat. Could you please paste your configuration (statics and ACLs) and also explain in detail what exact problem are you facing with POP3?

Regards,

Vibhor.

hani_altaher · ‎05-17-2007

name 192.168.30.30 ISA-Server description ISA Server

name 192.168.30.5 MailExchange description Mail Server

name X.X.X.X RealIPaddress

dns-guard

!

interface Ethernet0/0

nameif Outside

--------------------

the problem i can not connect to MAIL server using POP3 only.

security-level 0

pppoe client vpdn group DSL-OUT

ip address pppoe setroute

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.30.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

access-list Outside_access_in extended permit tcp any host RealIPaddress eq https

access-list Outside_access_in extended permit tcp any host RealIPaddress eq www

access-list Outside_access_in extended permit tcp any host RealIPaddress eq pop3

access-list Outside_access_in extended permit tcp any host RealIPaddress eq smtp

global (Outside) 1 interface

nat (inside) 1 192.168.30.0 255.255.255.0

nat (management) 0 0.0.0.0 0.0.0.0

static (inside,Outside) tcp interface https MailExchange https netmask 255.255

55.255

static (inside,Outside) tcp interface www MailExchange www netmask 255.255.255

55

static (inside,Outside) tcp interface smtp MailExchange smtp netmask 255.255.2

.255

static (inside,Outside) tcp interface pop3 MailExchange pop3 netmask 255.255.2

55.255

access-group Outside_access_in in interface Outside

vitripat · ‎05-17-2007

Hello,

I'm not sure what "RealIPaddress" is, however, your ACLs should be like this-

access-list Outside_access_in extended permit tcp any interface outside eq https

access-list Outside_access_in extended permit tcp any interface outside eq www

access-list Outside_access_in extended permit tcp any interface outside eq pop3

access-list Outside_access_in extended permit tcp any interface outside eq smtp

access-group Outside_access_in in interface Outside

Still, if things dont work, please let me know if we have any syslogs when connection attempt is made from outside.

Regards,

Vibhor.

hani_altaher · ‎05-17-2007

Dear vibhor

RealIPaddress is the IP address of outside interface IP address i am now offsite i can not get syslog.

kind regards

vitripat · ‎05-17-2007

Instead of actually using the IP address in the ACL, I'd recommend to use the keyword "interface outside". Once this is done, configuration looks fine to me and once we have syslogs we can pin-point if the issue is on the client side or the server side.

From the internal network itself, are you able to connect to the POP3 server?

Regards,

Vibhor.

hani_altaher · ‎05-17-2007

Dear Vibhor

i will try do it as soon as i can and tell you.

regarding POP3 its working internally and during troublshooting i connect internet connection directly with Mailserver and all ports(POP3,HTTP,HTTPS, and SMTP) are working normally.