Need help with PAT translation

Answered Question
Jun 27th, 2007

I need to do a PAT translation for SMTP. I have a 3rd party company filtering mail for us. I only want to accept mail from there IP on our ASA. Do I need to create a PAT and an ACL?

Also, when I try and set the PAT up I get an error message. The 3rd party company gave me a range of ip addresses (208.65.144.0/21). I?m trying to translate that to my exchange server. The command I am using is ? static (outside,inside) tcp 10.132.13.27 smtp 208.65.144.0 smtp netmask 255.255.248.0

Can I not map a range of outside to a single inside?

Thanks for any help you can give me.

I have this problem too.
0 votes
Correct Answer by acomiskey about 9 years 5 months ago

Sure...

access-list outside_access_in permit tcp host <3rd.party.ip> host 12.104.x.x eq smtp

access-group outside_access_in in interface outside

Please rate helpful posts.

Correct Answer by acomiskey about 9 years 5 months ago

That will work fine. Actually it would look like this...

static (inside,outside) tcp interface smtp 10.132.13.27 smtp netmask 255.255.255.255

Correct Answer by acomiskey about 9 years 5 months ago

You need to use a single address and your static is written wrong.

static (inside,outside) tcp 208.65.144.x smtp 10.132.13.27 smtp netmask 255.255.255.255

access-list outside_access_in permit tcp host <3rd.party.ip> host 208.65.144.x eq smtp

access-group outside_access_in in interface outside

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
acomiskey Wed, 06/27/2007 - 06:27

You need to use a single address and your static is written wrong.

static (inside,outside) tcp 208.65.144.x smtp 10.132.13.27 smtp netmask 255.255.255.255

access-list outside_access_in permit tcp host <3rd.party.ip> host 208.65.144.x eq smtp

access-group outside_access_in in interface outside

mike.feeney Wed, 06/27/2007 - 06:35

Thanks for your response.

How can I take that range of ip addresses and make this work?

acomiskey Wed, 06/27/2007 - 06:40

I'm not sure I understand. They are going to send you mail to every address in that whole subnet?

mike.feeney Wed, 06/27/2007 - 06:55

I'm not sure why they gave me a range.

What is I create the pat to look like this-

static (inside,outside) tcp 0.0.0.0 smtp 10.132.13.27 smtp netmask 255.255.255.255

Then set the ACL up to only allow the ISP range to use port 25.

Will that work?

acomiskey Wed, 06/27/2007 - 07:02

No way, that will not work.

Is 208.65.144.0/21 your range of ip's or is this the range of ip's where your 3rd party will send you mail from?

acomiskey Wed, 06/27/2007 - 07:19

Sorry Mike, it just makes no sense to me. I would start by getting back to them and find out what the deal is. You cannot translate a single inside server address to multiple outside addresses.

mike.feeney Wed, 06/27/2007 - 07:24

How about translating the ip address of the outside interface?

static (inside,outside) tcp 12.104.x.x smtp 10.132.13.27 smtp netmask 255.255.255.255

Correct Answer
acomiskey Wed, 06/27/2007 - 07:28

That will work fine. Actually it would look like this...

static (inside,outside) tcp interface smtp 10.132.13.27 smtp netmask 255.255.255.255

mike.feeney Wed, 06/27/2007 - 07:32

Thank you.

From there can I create an acl to only allow the 3rd party to access port 25?

Correct Answer
acomiskey Wed, 06/27/2007 - 07:34

Sure...

access-list outside_access_in permit tcp host <3rd.party.ip> host 12.104.x.x eq smtp

access-group outside_access_in in interface outside

Please rate helpful posts.

Actions

This Discussion