07-06-2008 04:26 AM - edited 03-11-2019 06:10 AM
Friends, i have ASA 5520 and opened SMTP and POP3 ports. I want to be sure that i did everything ok. Outside Interface IP is 1.2.3.4 and 10.0.0.10 is mail server Microsoft exchange.
I created ACL:
1) access-list Outside_access_in extended permit tcp any host 1.2.3.4 eq pop3
2) access-list Outside_access_in extended permit tcp any host 1.2.3.4 eq smtp
and static nat:
1)static (Inside,Outside) tcp 1.2.3.4 pop3 10.0.0.10 pop3 netmask 255.255.255.255
2) static (Inside,Outside) tcp 1.2.3.4 pop3 10.0.0.10 smtp netmask 255.255.255.255
Need advice...)))
Regards
07-06-2008 04:59 AM
no static (Inside,Outside) tcp 1.2.3.4 pop3 10.0.0.10 pop3 netmask 255.255.255.255
no static (Inside,Outside) tcp 1.2.3.4 pop3 10.0.0.10 smtp netmask 255.255.255.255
static (Inside,Outside) tcp interface pop3 10.0.0.10 pop3 netmask 255.255.255.255
static (Inside,Outside) tcp interface smtp 10.0.0.10 smtp netmask 255.255.255.255
07-06-2008 07:11 AM
1). static (Inside,Outside) tcp interface smtp 10.0.0.10 smtp netmask 255.255.255.255
2). static (Inside,Outside) tcp interface pop3 10.0.0.10 pop3 netmask 255.255.255.255
and my ACL is correct. i mean this static nat with this ACL is OK ...
1) access-list Outside_access_in extended permit tcp any host 1.2.3.4 eq pop3
2) access-list Outside_access_in extended permit tcp any host 1.2.3.4 eq smtp
I creat ACL and static nat on outside interface... Am i right ... ?!
In this case with this configuration smtp and pop3 will work properly ... ?!
srue, great thanks its very kide from UR side to help me ... :))) thanks once more...
Regards
07-06-2008 04:11 PM
no access-list Outside_access_in extended permit tcp any host 1.2.3.4 eq pop3
no access-list Outside_access_in extended permit tcp any host 1.2.3.4 eq smtp
access-list Outside_access_in extended permit tcp any interface outside eq pop3
access-list Outside_access_in extended permit tcp any interface outside eq smtp
07-06-2008 05:05 PM
Aren't they accomplishing the same thing?
CiscoPix# sh ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet0 outside 192.168.0.25 255.255.255.128 CONFIG
Ethernet1 inside 172.20.20.254 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet0 outside 192.168.0.25 255.255.255.128 CONFIG
Ethernet1 inside 172.20.20.254 255.255.255.0 CONFIG
CiscoPix# sh run static | i 172.20
static (inside,outside) tcp interface 222 172.20.20.1 ssh netmask 255.255.255.255
CiscoPix# sh run | i access-list External
access-list External extended permit icmp any any log
access-list External extended permit tcp any host 192.168.0.25 eq 222 log
CiscoPix#
[root@Linux-lab root]# ssh -p 222 -l admin 192.168.0.25
admin@192.168.0.25's password:
Last login: Mon Jul 7 01:57:44 2008 from 10.250.97.9
[Expert@P1-NG]#
CiscoPix# sh access-list External
access-list External; 2 elements
access-list External line 1 extended permit icmp any any log informational interval 300 (hitcnt=0) 0xa53e0e51
access-list External line 2 extended permit tcp any host 192.168.0.25 eq 222 log informational interval 300 (hitcnt=2) 0x8b240e30
CiscoPix#
07-06-2008 10:41 PM
It'means that i have to change
access-list Outside_access_in extended permit tcp any host 1.2.3.4 eq smtp
access-list Outside_access_in extended permit tcp any interface outside eq smtp
But now with my config permit tcp any host 1.2.3.4 i can telnet, open 1.2.3.4 25 from Internet. and i think it work properly 'caous i can access it.
srue, i belive u and do exavtly what u said :))))
Regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: