09-24-2007 03:32 PM - edited 03-11-2019 04:16 AM
Hello All!
I am looking for someone smarter than me for help. I am trying to configure, in the simplest way possible, an ASA 5505 with a server on the DMZ. The only thing unusual about our network is that most workstations do not access the internet through the ASA... they use a different router to connect to a separate DSL line.
So I set up an email server on our DMZ at 192.168.100.20. It can be accessed via https, imap, etc. from the Internet, no problem, from a IP address that is not the outside interface. I tried to add access to the mail server from the inside, via an IP address that is not the inside interface. (When I tried using the inside interface for the mail server access, I lost management access to the ASA. I think this is listed as an unresolved caveat under ver. 7.2(3).)
I can ping the the mail server through the ASA, and get a response from 192.168.100.20. I just can't get https, ftp, etc... if the server tries to respond, there is a "no translation group" error.
Here's my config:
name 192.168.100.20 Mailbert ;real mail server address
name 67.94.68.124 ExternalMail
name 67.94.68.122 defaultexternal
name 192.168.3.61 InternalMail61
interface Vlan1
nameif inside
ip address 192.168.3.2 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 67.94.68.123 255.255.255.248
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.100.1 255.255.255.0
access-list outside_access_in extended permit tcp any host ExternalMail eq imap4 log
access-list outside_access_in extended permit tcp any host ExternalMail eq https log
global (outside) 1 interface
nat (inside) 1 192.168.3.0 255.255.255.0
nat (dmz) 1 192.168.100.0 255.255.255.0 dns
static (dmz,outside) ExternalMail Mailbert netmask 255.255.255.255
static (inside,dmz) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
static (dmz,inside) InternalMail61 Mailbert netmask 255.255.255.255
access-group outside_access_in in interface outside
Thanks All!
Andrew
09-24-2007 05:26 PM
Why not just access it with it's real address, 192.168.100.20? Just remove the destination nat statement.
no static (dmz,inside) InternalMail61 Mailbert netmask 255.255.255.255
09-26-2007 01:04 PM
I don't understand how that would work since most workstations are not using the ASA as a default gateway. Can I add to workstations the ASA and a secondary default gateway and would that work?
Thanks!!
Andrew
09-26-2007 03:09 PM
I'm surprised you can ping but cannot ftp, http etc. Could you route to the dmz from the internet router?
ip route 192.168.100.0 255.255.255.0 192.168.3.2
09-26-2007 03:27 PM
I was only able to ping after adding this:
static (inside,dmz) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
Note that if I try to ftp the mailserver the ASA will not complain with a "no translation group" message if I do not enable an ftp server on the mailserver. So it seems the return packet is getting lost?
I will try the iproute thing.
Thanks,
Andrew
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide