Cisco 5510 ASA Multiple static to single Private IP!

Unanswered Question
Aug 31st, 2010
User Badges:

Hi,


I am using Cisco ASA 5510 Firewall, Software Version 7.0(2) and Licensed features for this platform:
Maximum Physical Interfaces : 4
Maximum VLANs               : 0
Inside Hosts                : Unlimited
Failover                    : Disabled
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
Security Contexts           : 0
GTP/GPRS                    : Disabled
VPN Peers                   : 50


Issue:

I have a Barracuda Spam filter firewall having 192.168.1.2 IP address and 25 port is enabled. This firewall support multiple domains for spam filtering, Currently i was using single domain and it works fine for me, now i need to add one more domain to same spam filter, everything done on barracuda side, now when i add one more entery of live ip with same local 192.168.1.2 25 it gives me error:


us-firewall(config)# static (inside,outside) tcp 216.XXX.XX.12 smtp 192.168.1.2 smtp netmask 255.255.255.255
ERROR: duplicate of existing static
  TCP inside:192.168.1.2/25 to outside:216.XXX.XXX.23/25 netmask 255.255.255.255
Usage: [no] static [(real_ifc, mapped_ifc)]
                {<mapped_ip>|interface}
                {<real_ip> [netmask <mask>]} | {access-list <acl_name>}
                [dns]
                ]]
                [udp <max_conns>]
        [no] static [(real_ifc, mapped_ifc)] {tcp|udp}
                {<mapped_ip>|interface} <mapped_port>
                {<real_ip> <real_port> [netmask <mask>]} |
                {access-list <acl_name>}
                [dns]
                ]]
                [udp <max_conns>]


What i want ?


216.XXX.XXX.23--->192.168.1.2 smtp          (Old entery working fine)

and

216.XXX.XX.12--->192.168.1.2 smtp               (new entry not working)


*** Please note i can't change/add ip address on barracuda spam filter and can't change port, so just need two live IPs to same 192.168.1.2 ip address and port 25.


Solution: ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nagaraja Thanthry Wed, 09/01/2010 - 05:20
User Badges:
  • Cisco Employee,

Hello,


You cannot map multiple public IPs to a single internal IP with straight

forward static statement. You need to configure policy NAT. Please try the

following:


access-list Mail1 permit tcp host 192.168.1.2 eq 25 any


access-list Mail2 permit tcp host 192.168.1.2 eq 25 any


static (inside,outside) tcp 216.XXX.XX.12 smtp access-list Mail1


static (inside,outside) tcp 216.XXX.XX.23 smtp access-list Mail2


Then make sure that you have allowed the traffic through the access-lists.


Hope this helps.


Regards,


NT

Actions

This Discussion