06-27-2007 06:22 AM - edited 03-11-2019 03:36 AM
I need to do a PAT translation for SMTP. I have a 3rd party company filtering mail for us. I only want to accept mail from there IP on our ASA. Do I need to create a PAT and an ACL?
Also, when I try and set the PAT up I get an error message. The 3rd party company gave me a range of ip addresses (208.65.144.0/21). I?m trying to translate that to my exchange server. The command I am using is ? static (outside,inside) tcp 10.132.13.27 smtp 208.65.144.0 smtp netmask 255.255.248.0
Can I not map a range of outside to a single inside?
Thanks for any help you can give me.
Solved! Go to Solution.
06-27-2007 06:27 AM
You need to use a single address and your static is written wrong.
static (inside,outside) tcp 208.65.144.x smtp 10.132.13.27 smtp netmask 255.255.255.255
access-list outside_access_in permit tcp host <3rd.party.ip> host 208.65.144.x eq smtp
access-group outside_access_in in interface outside
06-27-2007 07:28 AM
That will work fine. Actually it would look like this...
static (inside,outside) tcp interface smtp 10.132.13.27 smtp netmask 255.255.255.255
06-27-2007 07:34 AM
Sure...
access-list outside_access_in permit tcp host <3rd.party.ip> host 12.104.x.x eq smtp
access-group outside_access_in in interface outside
Please rate helpful posts.
06-27-2007 06:27 AM
You need to use a single address and your static is written wrong.
static (inside,outside) tcp 208.65.144.x smtp 10.132.13.27 smtp netmask 255.255.255.255
access-list outside_access_in permit tcp host <3rd.party.ip> host 208.65.144.x eq smtp
access-group outside_access_in in interface outside
06-27-2007 06:35 AM
Thanks for your response.
How can I take that range of ip addresses and make this work?
06-27-2007 06:40 AM
I'm not sure I understand. They are going to send you mail to every address in that whole subnet?
06-27-2007 06:55 AM
I'm not sure why they gave me a range.
What is I create the pat to look like this-
static (inside,outside) tcp 0.0.0.0 smtp 10.132.13.27 smtp netmask 255.255.255.255
Then set the ACL up to only allow the ISP range to use port 25.
Will that work?
06-27-2007 07:02 AM
No way, that will not work.
Is 208.65.144.0/21 your range of ip's or is this the range of ip's where your 3rd party will send you mail from?
06-27-2007 07:11 AM
Sorry, I didn't mean to say ISP. I meant the 3rd party for mail.
06-27-2007 07:19 AM
Sorry Mike, it just makes no sense to me. I would start by getting back to them and find out what the deal is. You cannot translate a single inside server address to multiple outside addresses.
06-27-2007 07:24 AM
How about translating the ip address of the outside interface?
static (inside,outside) tcp 12.104.x.x smtp 10.132.13.27 smtp netmask 255.255.255.255
06-27-2007 07:28 AM
That will work fine. Actually it would look like this...
static (inside,outside) tcp interface smtp 10.132.13.27 smtp netmask 255.255.255.255
06-27-2007 07:32 AM
Thank you.
From there can I create an acl to only allow the 3rd party to access port 25?
06-27-2007 07:34 AM
Sure...
access-list outside_access_in permit tcp host <3rd.party.ip> host 12.104.x.x eq smtp
access-group outside_access_in in interface outside
Please rate helpful posts.
06-27-2007 07:39 AM
Thanks again. I really appreciate all your help.
06-27-2007 07:41 AM
No problem, hope everything works out.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: