06-29-2007 12:23 PM - edited 03-09-2019 06:18 PM
I have recently installed an ASA5510. I need to forward certain incoming internet traffic to a few internal servers as below:
These 3 are already configured with NAT and security policy via ASDM.
tcp-smtp traffic from 66.66.66.66 goes to 192.168.1.16
tcp-http traffic from 66.66.66.66 goes to 192.168.1.16
tcp-https traffic from 66.66.66.66 goes to 192.168.1.16
However, I'm not quite sure how to accomplish the following since it doesn't allow me to overlap the 192.168.1.x subnet:
tcp-pptp traffic from 66.66.66.66 goes to 192.168.1.10
ip-gre47 from 66.66.66.66 goes to 192.168.1.10
where 66.66.66.66 is part of our external subnet.
Solved! Go to Solution.
06-30-2007 03:30 PM
static (inside,outside) tcp 66.66.66.133 smtp 192.168.1.16 smtp netmask 255.255.255.255
static (inside,outside) tcp 66.66.66.133 pptp 192.168.1.10 pptp netmask 255.255.255.255
access-list outside extended permit tcp any host 66.66.66.133 eq smtp
access-list outside extended permit tcp any host 66.66.66.133 eq pptp
access-group outside in interface outside
clear xlate
That should work how you had it.
06-30-2007 05:14 PM
These commands will not work
static (inside,outside) ip 66.66.66.133 47 192.168.1.10 47 netmask 255.255.255.255
access-list outside extended permit ip any host 66.66.66.133 eq 47
Your option is to use another ip address (if you have one or you can use the ASA interface ip) for the gre like this...
static (inside,outside) 66.66.66.1xx 192.168.1.10 netmask 255.255.255.255
access-list outside extended permit ip any host 66.66.66.1xx eq 47
but you would have to get rid of you other static with 192.168.1.10
no static (inside,outside) tcp 66.66.66.133 pptp 192.168.1.10 pptp netmask 255.255.255.255
Please rate helpful posts above.
06-29-2007 12:39 PM
static (inside,outside) tcp 66.66.66.66 smtp 192.168.1.16 smtp netmask 255.255.255.255
static (inside,outside) tcp 66.66.66.66 www 192.168.1.16 www netmask 255.255.255.255
static (inside,outside) tcp 66.66.66.66 https 192.168.1.16 https netmask 255.255.255.255
static (inside,outside) tcp 66.66.66.66 pptp 192.168.1.10 pptp netmask 255.255.255.255
The last one won't work.
06-29-2007 02:30 PM
It's complaining about
ERROR: mapped-address conflict with existing static inside:192.168.1.16 to outside:66.66.66.66 netmask 255.255.255.255
when I do
static (inside,outside) tcp 66.66.66.66 pptp 192.168.1.10 pptp netmask 255.255.255.255
06-29-2007 06:23 PM
Post a "show run static" before you input that command that you got an error on.
06-30-2007 03:36 AM
ciscoasa(config)# show run static
static (inside,outside) 66.66.66.134 172.30.1.50 netmask 255.255.255.255
static (inside,outside) 66.66.66.132 192.168.1.15 netmask 255.255.255.255
static (inside,outside) 66.66.66.133 192.168.1.16 netmask 255.255.255.255
static (inside,outside) 66.66.66.137 192.168.1.10 netmask 255.255.255.255 *this is only a temp solution for us*
ciscoasa(config)# static (inside,outside) tcp 66.66.66.133 pptp 192.168.1.10$
ERROR: mapped-address conflict with existing static
inside:192.168.1.16 to outside:66.66.66.133 netmask 255.255.255.255
and this is from the config:
access-list dzm extended permit ip any any
access-list dzm extended permit icmp any any
access-list ouside extended permit ip any any
access-list cont_in extended permit ip host 66.66.66.135 any
access-list outside extended permit tcp any host 66.66.66.134
access-list outside extended permit tcp any host 66.66.66.132 eq 3103
access-list outside extended permit tcp any host 66.66.66.133 eq smtp
access-list outside extended permit tcp any host 66.66.66.133 eq www
access-list outside extended permit tcp any host 66.66.66.133 eq https
access-list outside extended permit udp any host 66.66.66.133 eq www
access-list outside extended permit gre any host 66.66.66.137
access-list outside extended permit tcp any host 66.66.66.137 eq pptp
access-list outside_cryptomap_20 extended permit ip 192.168.0.0 255.255.0.0 192.168.123.0 255.255.255.0
access-list Split_tunnel_ACL standard permit 192.168.0.0 255.255.0.0
access-list outside_cryptomap_80 extended permit ip 192.168.1.0 255.255.255.0 192.168.111.0 255.255.255.0
access-list outside_cryptomap_60 extended permit ip 192.168.1.0 255.255.255.0 192.168.222.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool rock-pool 192.168.100.1-192.168.100.50 mask 255.255.255.0
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm512-k8.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) 66.66.66.134 172.30.1.50 netmask 255.255.255.255
static (inside,outside) 66.66.66.132 192.168.1.15 netmask 255.255.255.255
static (inside,outside) 66.66.66.133 192.168.1.16 netmask 255.255.255.255
static (inside,outside) 66.66.66.137 192.168.1.10 netmask 255.255.255.255
06-30-2007 06:48 AM
I don't think it likes that you already have a static for 1.10.
static (inside,outside) 66.66.66.137 192.168.1.10 netmask 255.255.255.255
You would have to remove that, make it port forwarding for whichever ports you needed, then add the port forward for pptp.
no static (inside,outside) 66.66.66.137 192.168.1.10 netmask 255.255.255.255
static (inside,outside) tcp 66.66.66.137 whatever 192.168.1.10 whatever netmask 255.255.255.255
static (inside,outside) tcp 66.66.66.66 pptp 192.168.1.10 pptp netmask 255.255.255.255
06-30-2007 12:47 PM
I tried
static (inside,outside) tcp 66.66.66.133 smtp 192.168.1.16 smtp netmask 255.255.255.255
static (inside,outside) tcp 66.66.66.133 pptp 192.168.1.10 pptp netmask 255.255.255.255
But emails are not coming in, nor we can connect to 66.66.66.133 pptp from the internet.
The only way I could make it work is
access-list outside extended permit tcp any host 66.66.66.133 eq smtp
access-list outside extended permit tcp any host 66.66.66.137 eq pptp
static (inside,outside) 66.66.66.133 192.168.1.16 netmask 255.255.255.255
static (inside,outside) 66.66.66.137 192.168.1.10 netmask 255.255.255.255
access-group outside in interface outside
I want to keep both services on the outside 66.66.66.133 but it wouldn't allow me to do so. I don't know how I can accomplish that.
06-30-2007 03:30 PM
static (inside,outside) tcp 66.66.66.133 smtp 192.168.1.16 smtp netmask 255.255.255.255
static (inside,outside) tcp 66.66.66.133 pptp 192.168.1.10 pptp netmask 255.255.255.255
access-list outside extended permit tcp any host 66.66.66.133 eq smtp
access-list outside extended permit tcp any host 66.66.66.133 eq pptp
access-group outside in interface outside
clear xlate
That should work how you had it.
06-30-2007 04:18 PM
It works great! Thank you very much!
You've mentioned that
static wouldn't work with GRE. Is there any work around if I want to do something like this?
static (inside,outside) tcp 66.66.66.133 smtp 192.168.1.16 smtp netmask 255.255.255.255
static (inside,outside) tcp 66.66.66.133 pptp 192.168.1.10 pptp netmask 255.255.255.255
static (inside,outside) ip 66.66.66.133 47 192.168.1.10 47 netmask 255.255.255.255
access-list outside extended permit tcp any host 66.66.66.133 eq smtp
access-list outside extended permit tcp any
host 66.66.66.133 eq pptp
access-list outside extended permit ip any host 66.66.66.133 eq 47
Do you think you can look at another issue I have when you get a chance?
Thanks again!
06-30-2007 05:14 PM
These commands will not work
static (inside,outside) ip 66.66.66.133 47 192.168.1.10 47 netmask 255.255.255.255
access-list outside extended permit ip any host 66.66.66.133 eq 47
Your option is to use another ip address (if you have one or you can use the ASA interface ip) for the gre like this...
static (inside,outside) 66.66.66.1xx 192.168.1.10 netmask 255.255.255.255
access-list outside extended permit ip any host 66.66.66.1xx eq 47
but you would have to get rid of you other static with 192.168.1.10
no static (inside,outside) tcp 66.66.66.133 pptp 192.168.1.10 pptp netmask 255.255.255.255
Please rate helpful posts above.
06-30-2007 05:25 PM
Thanks, I will post about your other issue in a moment.
07-04-2007 08:40 AM
Hello,
we've got another problem. Do you think you have a moment to help?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: