01-11-2008 12:30 PM - edited 03-11-2019 04:46 AM
I need to punch a whole through this ASA to get port 25 and 443 traffic through can someone give me the command to do that?
Currently it's a mail server on the other side of an ASA. I have the following Static on the ASA.
static (inside,outside) tcp 216.110.x.22 smtp 172.16.200.4 smtp netmask 255.255.255.255
static (inside,outside) tcp 216.110.x.22 https 172.16.200.4 https netmask 255.255.255.255
I added a line similar that went from (Outsie,Inside) but that didn't work. There's also an ACL saying to allow anything from the Internet to hit those servers for 25 and 443 any help would be greatly appreaciate as they havent had mail in 3 days.
01-11-2008 01:01 PM
Are you using outside interface IP address for your static translation? if so try.
static (inside,outside) tcp interface smtp 172.16.200.4 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 172.16.200.4 https netmask 255.255.255.255
then your access list should be applied to your outside interface
e.g
access-list outside_access_in extended permit tcp any host 216.110.x.22 eq smtp
access-list outside_access_in extended permit tcp any host 216.110.x.22 eq https
access-group outside_access_in in interface outside
Rgds
Jorge
01-11-2008 01:38 PM
Yeah that didn't seem to work :/
01-11-2008 02:55 PM
ok, then try
remove acl
no access-list outside_access_in extended permit tcp any host 216.110.x.22 eq smtp
no access-list outside_access_in extended permit tcp any host 216.110.x.22 eq https
re-enter acl
access-list outside_access_in extended permit tcp any interface outside smtp
access-list outside_access_in extended permit tcp any interface outside https
access-group outside_access_in in interface outside
01-11-2008 03:47 PM
I get a
access-list outside_access_in extended permit tcp any interface outside smtp
^
ERROR: % Invalid input detected at '^' marker.
01-11-2008 04:06 PM
I do apologize , missed keyword eq . please try.
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq https
access-group outside_access_in in interface outside
01-11-2008 04:10 PM
If you are using MS Exchange servers, you need to disable fixup (or inspect) for smtp.
Satya
01-11-2008 04:16 PM
%ASA-4-106023: Deny tcp src outside:24.20.x.93/1599 dst outside:216.110.x.22/25 by access-g roup "outside_access_in"
01-11-2008 04:56 PM
I wonder why that destination's showing up as Outside when it's coming in to an inside network ?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: