Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
674
Views
5
Helpful
4
Replies

Am i able to use PAT and publish a mail server with 1 public IP ?

Go to solution
cco_heerema
Level 1
Level 1

‎01-07-2007 09:26 AM - edited ‎03-11-2019 02:16 AM

Hi,

I'm a little confused maybe someone could help me out here.

I'm trying to get an ASA5510 ASA Version 7.1(2) on the road here.

Problem is that i want to publish an SMTP server on the inside network on the Internet, and provide all inside hosts with internet.

Problem is that i only have 1 static public ip address.

For getting Internet access on the inside hosts i use :

global (Outside) 1 interface

nat (Inside) 1 10.100.50.0 255.255.255.0

But as soon as i try to add a rule (and as far as my knowledge goes that needs to be) :

access-list smtp extended permit tcp any host external ip address eq smtp

static (inside,outside) public ip address inside ip address netmask 255.255.255.255

access-group smtp in interface outside

I lose all internet connectivity on my inside hosts.

What am doing wrong , or is this not possible with an ASA and one public ip address ?

Thanks for helping.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
5220
Level 4
Level 4
In response to cco_heerema

‎01-07-2007 12:02 PM

Well, I have the more secure alternative :)

You will keep the nat, and add a static only for SMTP port, this way will be secure.

The line is :

static (Inside,Outside) tcp 25 25 netmask 255.255.255.255

VOILA :)

Please rate if this helped.

Regards,

Daniel

View solution in original post

4 Replies 4

Go to solution
cco_heerema
Level 1
Level 1

‎01-07-2007 09:59 AM

Ignore this question please, my mistake

an

static (Inside,Outside) external ip internal ip netmask 255.255.255.255

access-group test in interface Outside

access-list test extended permit ip any host external ip

Did the trick.

Please be aware that this sollution allows all trafic trough to the internal host (which is not secure)

0 Helpful

Go to solution
5220
Level 4
Level 4
In response to cco_heerema

‎01-07-2007 12:02 PM

Well, I have the more secure alternative :)

You will keep the nat, and add a static only for SMTP port, this way will be secure.

The line is :

static (Inside,Outside) tcp 25 25 netmask 255.255.255.255

VOILA :)

Please rate if this helped.

Regards,

Daniel

Go to solution
cco_heerema
Level 1
Level 1
In response to 5220

‎01-11-2007 01:02 AM

Great one, will use this one in the future.

For this config i managed to get rid of a stupid 2wire adsl modem which was not able to route a small subnet of public ip addresses.

I installed an Cisco 837 instead which does its work perfectly.

In this configuration i also wanted to publish HTTP & HTTP on an inside host, but also want to use WebVPN, so i needed an extra public ip anyway.

0 Helpful

Go to solution
5220
Level 4
Level 4
In response to cco_heerema

‎01-11-2007 02:39 AM

Glad to help :)

Cheers,

Daniel

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card