Punching a hole....

ixholla69 · ‎01-11-2008

I need to punch a whole through this ASA to get port 25 and 443 traffic through can someone give me the command to do that?

Currently it's a mail server on the other side of an ASA. I have the following Static on the ASA.

static (inside,outside) tcp 216.110.x.22 smtp 172.16.200.4 smtp netmask 255.255.255.255

static (inside,outside) tcp 216.110.x.22 https 172.16.200.4 https netmask 255.255.255.255

I added a line similar that went from (Outsie,Inside) but that didn't work. There's also an ACL saying to allow anything from the Internet to hit those servers for 25 and 443 any help would be greatly appreaciate as they havent had mail in 3 days.

JORGE RODRIGUEZ · ‎01-11-2008

Are you using outside interface IP address for your static translation? if so try.

static (inside,outside) tcp interface smtp 172.16.200.4 smtp netmask 255.255.255.255

static (inside,outside) tcp interface https 172.16.200.4 https netmask 255.255.255.255

then your access list should be applied to your outside interface

e.g

access-list outside_access_in extended permit tcp any host 216.110.x.22 eq smtp

access-list outside_access_in extended permit tcp any host 216.110.x.22 eq https

access-group outside_access_in in interface outside

Rgds

Jorge

Jorge Rodriguez

ixholla69 · ‎01-11-2008

Yeah that didn't seem to work :/

JORGE RODRIGUEZ · ‎01-11-2008

ok, then try

remove acl

no access-list outside_access_in extended permit tcp any host 216.110.x.22 eq smtp

no access-list outside_access_in extended permit tcp any host 216.110.x.22 eq https

re-enter acl

access-list outside_access_in extended permit tcp any interface outside smtp

access-list outside_access_in extended permit tcp any interface outside https

access-group outside_access_in in interface outside

Jorge Rodriguez

ixholla69 · ‎01-11-2008

I get a

access-list outside_access_in extended permit tcp any interface outside smtp

^

ERROR: % Invalid input detected at '^' marker.

JORGE RODRIGUEZ · ‎01-11-2008

I do apologize , missed keyword eq . please try.

access-list outside_access_in extended permit tcp any interface outside eq smtp

access-list outside_access_in extended permit tcp any interface outside eq https

access-group outside_access_in in interface outside

Jorge Rodriguez

sbaddipu · ‎01-11-2008

If you are using MS Exchange servers, you need to disable fixup (or inspect) for smtp.

Satya

ixholla69 · ‎01-11-2008

%ASA-4-106023: Deny tcp src outside:24.20.x.93/1599 dst outside:216.110.x.22/25 by access-g roup "outside_access_in"

ixholla69 · ‎01-11-2008

I wonder why that destination's showing up as Outside when it's coming in to an inside network ?