09-24-2007 03:32 PM - edited 03-11-2019 04:16 AM
Hello All!
I am looking for someone smarter than me for help. I am trying to configure, in the simplest way possible, an ASA 5505 with a server on the DMZ. The only thing unusual about our network is that most workstations do not access the internet through the ASA... they use a different router to connect to a separate DSL line.
So I set up an email server on our DMZ at 192.168.100.20. It can be accessed via https, imap, etc. from the Internet, no problem, from a IP address that is not the outside interface. I tried to add access to the mail server from the inside, via an IP address that is not the inside interface. (When I tried using the inside interface for the mail server access, I lost management access to the ASA. I think this is listed as an unresolved caveat under ver. 7.2(3).)
I can ping the the mail server through the ASA, and get a response from 192.168.100.20. I just can't get https, ftp, etc... if the server tries to respond, there is a "no translation group" error.
Here's my config:
name 192.168.100.20 Mailbert ;real mail server address
name 67.94.68.124 ExternalMail
name 67.94.68.122 defaultexternal
name 192.168.3.61 InternalMail61
interface Vlan1
nameif inside
ip address 192.168.3.2 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 67.94.68.123 255.255.255.248
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.100.1 255.255.255.0
access-list outside_access_in extended permit tcp any host ExternalMail eq imap4 log
access-list outside_access_in extended permit tcp any host ExternalMail eq https log
global (outside) 1 interface
nat (inside) 1 192.168.3.0 255.255.255.0
nat (dmz) 1 192.168.100.0 255.255.255.0 dns
static (dmz,outside) ExternalMail Mailbert netmask 255.255.255.255
static (inside,dmz) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
static (dmz,inside) InternalMail61 Mailbert netmask 255.255.255.255
access-group outside_access_in in interface outside
Thanks All!
Andrew
09-24-2007 05:26 PM
Why not just access it with it's real address, 192.168.100.20? Just remove the destination nat statement.
no static (dmz,inside) InternalMail61 Mailbert netmask 255.255.255.255
09-26-2007 01:04 PM
I don't understand how that would work since most workstations are not using the ASA as a default gateway. Can I add to workstations the ASA and a secondary default gateway and would that work?
Thanks!!
Andrew
09-26-2007 03:09 PM
I'm surprised you can ping but cannot ftp, http etc. Could you route to the dmz from the internet router?
ip route 192.168.100.0 255.255.255.0 192.168.3.2
09-26-2007 03:27 PM
I was only able to ping after adding this:
static (inside,dmz) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
Note that if I try to ftp the mailserver the ASA will not complain with a "no translation group" message if I do not enable an ftp server on the mailserver. So it seems the return packet is getting lost?
I will try the iproute thing.
Thanks,
Andrew
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: