Punching a hole....

Unanswered Question
Jan 11th, 2008
User Badges:

I need to punch a whole through this ASA to get port 25 and 443 traffic through can someone give me the command to do that?


Currently it's a mail server on the other side of an ASA. I have the following Static on the ASA.


static (inside,outside) tcp 216.110.x.22 smtp 172.16.200.4 smtp netmask 255.255.255.255

static (inside,outside) tcp 216.110.x.22 https 172.16.200.4 https netmask 255.255.255.255


I added a line similar that went from (Outsie,Inside) but that didn't work. There's also an ACL saying to allow anything from the Internet to hit those servers for 25 and 443 any help would be greatly appreaciate as they havent had mail in 3 days.




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Fri, 01/11/2008 - 13:01
User Badges:
  • Green, 3000 points or more

Are you using outside interface IP address for your static translation? if so try.


static (inside,outside) tcp interface smtp 172.16.200.4 smtp netmask 255.255.255.255

static (inside,outside) tcp interface https 172.16.200.4 https netmask 255.255.255.255


then your access list should be applied to your outside interface


e.g



access-list outside_access_in extended permit tcp any host 216.110.x.22 eq smtp

access-list outside_access_in extended permit tcp any host 216.110.x.22 eq https

access-group outside_access_in in interface outside



Rgds

Jorge

JORGE RODRIGUEZ Fri, 01/11/2008 - 14:55
User Badges:
  • Green, 3000 points or more

ok, then try


remove acl

no access-list outside_access_in extended permit tcp any host 216.110.x.22 eq smtp

no access-list outside_access_in extended permit tcp any host 216.110.x.22 eq https



re-enter acl


access-list outside_access_in extended permit tcp any interface outside smtp

access-list outside_access_in extended permit tcp any interface outside https

access-group outside_access_in in interface outside



ixholla69 Fri, 01/11/2008 - 15:47
User Badges:

I get a


access-list outside_access_in extended permit tcp any interface outside smtp

^

ERROR: % Invalid input detected at '^' marker.


JORGE RODRIGUEZ Fri, 01/11/2008 - 16:06
User Badges:
  • Green, 3000 points or more

I do apologize , missed keyword eq . please try.


access-list outside_access_in extended permit tcp any interface outside eq smtp

access-list outside_access_in extended permit tcp any interface outside eq https

access-group outside_access_in in interface outside

sbaddipu Fri, 01/11/2008 - 16:10
User Badges:

If you are using MS Exchange servers, you need to disable fixup (or inspect) for smtp.


Satya

ixholla69 Fri, 01/11/2008 - 16:16
User Badges:

%ASA-4-106023: Deny tcp src outside:24.20.x.93/1599 dst outside:216.110.x.22/25 by access-g roup "outside_access_in"


ixholla69 Fri, 01/11/2008 - 16:56
User Badges:

I wonder why that destination's showing up as Outside when it's coming in to an inside network ?

Actions

This Discussion