08-18-2008 03:05 AM - edited 03-11-2019 06:32 AM
we are using 129.0.0.0/23 as internal ip (followed for long time). Now an ASA 5510 has been installed and translated to the public ip.
An access-list is created as follows
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 any any
object-group service DM_INLINE_SERVICE_7
service-object tcp eq domain
service-object tcp eq www
service-object tcp eq https
service-object tcp eq pop3
service-object tcp eq smtp
service-object udp eq domain
service-object tcp eq 3389
and applied to the inward direction in outside interface
access-group outside_access_in in interface outside
in this case everything is working fine.
when i apply this access-list to the particular internal subnet, the exchange mails were not forwared from outside to inside exchange server (129.0.0.12)..
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 any 129.0.0.0 0.0.1.255 (internal subnet)
Did the ASAs won't work with this type of ip addressing? Does the ASA internal subnet to be readdressed to private ip address or not?
Can any one pl guide us?
Thanks.
Solved! Go to Solution.
08-19-2008 02:48 AM
there is no bug - your configuration is incorrect. The any to any command works as you are not filtering on any specific IP address.
if you have specific static NAT statements for the inside servers - you need to change the access-list to reflect the static outside IP address, eg:-
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 any <
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 any <
or
access-list outside_access_in extended permit tcp any host <
access-list outside_access_in extended permit tcp any host <
08-18-2008 04:22 AM
Your access-list mask comment looks incorrect, try:-
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 any 129.0.0.0 255.255.254.0
HTH>
08-18-2008 05:12 AM
Thanks.
I am applying these through ASDM.
the following is the correct applied access-list.
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 any 129.0.0.0 255.255.254.0
I have checked once again with this access-list. mails were not received.
any to any is working.
any to this subnet not working.
Any suggesstions pl.
08-18-2008 06:29 AM
Are you natting from the outside in? If so, you need to replace the 129.0.0.x address with the NAT address??
Post your sanitised config please?
08-19-2008 02:26 AM
Presently i do not have the run config.
I am doing inside network to outside like
nat (inside) 2 129.0.0.0
global (outside) 2 public ip
08-19-2008 02:38 AM
do you have anyother NAT statements?
08-19-2008 02:43 AM
NO.
But have static command with different public ips for exchange and web servers.
I am confused.
because this should work with particular subnet. any to any working.
Is there any bug?.
08-19-2008 02:48 AM
there is no bug - your configuration is incorrect. The any to any command works as you are not filtering on any specific IP address.
if you have specific static NAT statements for the inside servers - you need to change the access-list to reflect the static outside IP address, eg:-
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 any <
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 any <
or
access-list outside_access_in extended permit tcp any host <
access-list outside_access_in extended permit tcp any host <
08-20-2008 12:00 AM
yes it is working
08-19-2008 02:57 AM
thanks i will apply and give a feedback
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: