cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
742
Views
0
Helpful
13
Replies

Need help with PAT translation

mike.feeney
Level 1
Level 1

I need to do a PAT translation for SMTP. I have a 3rd party company filtering mail for us. I only want to accept mail from there IP on our ASA. Do I need to create a PAT and an ACL?

Also, when I try and set the PAT up I get an error message. The 3rd party company gave me a range of ip addresses (208.65.144.0/21). I?m trying to translate that to my exchange server. The command I am using is ? static (outside,inside) tcp 10.132.13.27 smtp 208.65.144.0 smtp netmask 255.255.248.0

Can I not map a range of outside to a single inside?

Thanks for any help you can give me.

3 Accepted Solutions

Accepted Solutions

acomiskey
Level 10
Level 10

You need to use a single address and your static is written wrong.

static (inside,outside) tcp 208.65.144.x smtp 10.132.13.27 smtp netmask 255.255.255.255

access-list outside_access_in permit tcp host <3rd.party.ip> host 208.65.144.x eq smtp

access-group outside_access_in in interface outside

View solution in original post

That will work fine. Actually it would look like this...

static (inside,outside) tcp interface smtp 10.132.13.27 smtp netmask 255.255.255.255

View solution in original post

Sure...

access-list outside_access_in permit tcp host <3rd.party.ip> host 12.104.x.x eq smtp

access-group outside_access_in in interface outside

Please rate helpful posts.

View solution in original post

13 Replies 13

acomiskey
Level 10
Level 10

You need to use a single address and your static is written wrong.

static (inside,outside) tcp 208.65.144.x smtp 10.132.13.27 smtp netmask 255.255.255.255

access-list outside_access_in permit tcp host <3rd.party.ip> host 208.65.144.x eq smtp

access-group outside_access_in in interface outside

Thanks for your response.

How can I take that range of ip addresses and make this work?

I'm not sure I understand. They are going to send you mail to every address in that whole subnet?

I'm not sure why they gave me a range.

What is I create the pat to look like this-

static (inside,outside) tcp 0.0.0.0 smtp 10.132.13.27 smtp netmask 255.255.255.255

Then set the ACL up to only allow the ISP range to use port 25.

Will that work?

No way, that will not work.

Is 208.65.144.0/21 your range of ip's or is this the range of ip's where your 3rd party will send you mail from?

Sorry, I didn't mean to say ISP. I meant the 3rd party for mail.

Sorry Mike, it just makes no sense to me. I would start by getting back to them and find out what the deal is. You cannot translate a single inside server address to multiple outside addresses.

How about translating the ip address of the outside interface?

static (inside,outside) tcp 12.104.x.x smtp 10.132.13.27 smtp netmask 255.255.255.255

That will work fine. Actually it would look like this...

static (inside,outside) tcp interface smtp 10.132.13.27 smtp netmask 255.255.255.255

Thank you.

From there can I create an acl to only allow the 3rd party to access port 25?

Sure...

access-list outside_access_in permit tcp host <3rd.party.ip> host 12.104.x.x eq smtp

access-group outside_access_in in interface outside

Please rate helpful posts.

Thanks again. I really appreciate all your help.

No problem, hope everything works out.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: