08-16-2007 11:24 AM - edited 03-11-2019 03:58 AM
I am phasing out a Sonicwall 1260 with an ASA 5510 cluster. The Sonicwall uses PAT with a single public IP.
Email, VPN, ftp and other services are coming in through the wan interface and are port forwarded to their destination servers on the lan.
Today I was having an issue with getting services through the asa 7.2 os and the ACL kept blocking the connections.
I believe its down to the fact that the outside ip is the same as the IP the connections are going to eg the mx record points to the outside ip and any connections on port 25 are being dropped.
Am I doing something wrong or does the asa want to pat the internal network to one ip and have external connections come in on a seperate ip?
The .128 mask is down to the ISP and their setup and I dont have that many addresses available!
Any help appreciated
interface Ethernet0/0
description Link to LAN
speed 100
duplex full
nameif inside
security-level 100
ip address 192.1.1.252 255.255.255.0 standby 192.1.1.253
!
interface Ethernet0/1
description Link to ICE
speed 100
duplex full
nameif outside
security-level 0
ip address x.x.x.10 255.255.255.128 standby x.x.x.31
access-list outside_in extended permit tcp any host x.x.x.10 eq smtp
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in deny ip any any log
access-group outside_in in interface outside
global (outside) 1 interface
nat (inside) 1 192.1.1.0 255.255.255.0
static (inside,outside) tcp x.x.x.10 smtp 192.1.1.12 smtp netmask 255.255.255.255
Solved! Go to Solution.
08-16-2007 11:30 AM
Change your static commands to include the keyword "interface" instead of x.x.x.10.
ex.
static (inside,outside) tcp interface smtp 192.1.1.12 smtp netmask 255.255.255.255
Please rate helpful posts.
08-16-2007 11:30 AM
Change your static commands to include the keyword "interface" instead of x.x.x.10.
ex.
static (inside,outside) tcp interface smtp 192.1.1.12 smtp netmask 255.255.255.255
Please rate helpful posts.
08-16-2007 10:52 PM
I'll try this out next week when I'm back on site. Legend if it works.
I'll let you know
Thanks
08-16-2007 12:25 PM
And I believe that your acl should be like this,
access-list outside_in extended permit tcp any host 192.1.1.12 eq smtp
08-16-2007 01:03 PM
No, your acl is correct as you had it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide