Solved: DID ASA internal ip 129.0.0.0/23 will create problems when using with PAT?

rajagurujj · ‎08-18-2008

we are using 129.0.0.0/23 as internal ip (followed for long time). Now an ASA 5510 has been installed and translated to the public ip.

An access-list is created as follows

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 any any

object-group service DM_INLINE_SERVICE_7

service-object tcp eq domain

service-object tcp eq www

service-object tcp eq https

service-object tcp eq pop3

service-object tcp eq smtp

service-object udp eq domain

service-object tcp eq 3389

and applied to the inward direction in outside interface

access-group outside_access_in in interface outside

in this case everything is working fine.

when i apply this access-list to the particular internal subnet, the exchange mails were not forwared from outside to inside exchange server (129.0.0.12)..

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 any 129.0.0.0 0.0.1.255 (internal subnet)

Did the ASAs won't work with this type of ip addressing? Does the ASA internal subnet to be readdressed to private ip address or not?

Can any one pl guide us?

Thanks.

andrew.prince · ‎08-19-2008

there is no bug - your configuration is incorrect. The any to any command works as you are not filtering on any specific IP address.

if you have specific static NAT statements for the inside servers - you need to change the access-list to reflect the static outside IP address, eg:-

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 any <>

or

access-list outside_access_in extended permit tcp any host <> eq www

access-list outside_access_in extended permit tcp any host <> eq smtp

View solution in original post

andrew.prince · ‎08-18-2008

Your access-list mask comment looks incorrect, try:-

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 any 129.0.0.0 255.255.254.0

HTH>

rajagurujj · ‎08-18-2008

Thanks.

I am applying these through ASDM.

the following is the correct applied access-list.

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 any 129.0.0.0 255.255.254.0

I have checked once again with this access-list. mails were not received.

any to any is working.

any to this subnet not working.

Any suggesstions pl.

andrew.prince · ‎08-18-2008

Are you natting from the outside in? If so, you need to replace the 129.0.0.x address with the NAT address??

Post your sanitised config please?

rajagurujj · ‎08-19-2008

Presently i do not have the run config.

I am doing inside network to outside like

nat (inside) 2 129.0.0.0

global (outside) 2 public ip

andrew.prince · ‎08-19-2008

do you have anyother NAT statements?

rajagurujj · ‎08-19-2008

NO.

But have static command with different public ips for exchange and web servers.

I am confused.

because this should work with particular subnet. any to any working.

Is there any bug?.

andrew.prince · ‎08-19-2008

there is no bug - your configuration is incorrect. The any to any command works as you are not filtering on any specific IP address.

if you have specific static NAT statements for the inside servers - you need to change the access-list to reflect the static outside IP address, eg:-

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 any <>

or

access-list outside_access_in extended permit tcp any host <> eq www

access-list outside_access_in extended permit tcp any host <> eq smtp

rajagurujj · ‎08-20-2008

yes it is working

rajagurujj · ‎08-19-2008

thanks i will apply and give a feedback