Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA 5505 Port Forwarding with Different IP Address

Hello everyone,

I have Cisco ASA 5505 Firewall with security plus license, Currently I open ports on 25,80,443 on public  IP address 1.1.1.1 and perform static nat

between the inside and outside IP address Such as i configured via CLI

access-list OUT_IN extended  permit tcp any host 1.1.1.1 eq  80

access-list OUT_IN extended  permit tcp any host 1.1.1.1 eq  443

access-list OUT_IN extended  permit tcp any host 1.1.1.1 eq  25

access-group OUT_IN in interface outside

static (inside,outside)  1.1.1.1 192.168.0.243

Which works great!!!

Since we change our Mail server IP address, i have to perfrom static nat on different IP and port 80, 443 on a different IP

For that i keep the access-list same

Change to

Static (inside,outside) interface tcp 80 192.168.0.243 tcp 80 netmask 255.255.255.255

Static (inside,outside) interface tcp 443 192.168.0.243 tcp 443 netmask 255.255.255.255

Static (inside,outside) interface tcp 25 192.168.0.11 tcp 25 netmask 255.255.255.255

Once i make change Email is not working!!!!!!!!!!!!!!!!

1 REPLY

ASA 5505 Port Forwarding with Different IP Address

Hello ,

Is this a typo

Static (inside,outside) interface tcp 80 192.168.0.243 tcp 80 netmask 255.255.255.255

Static (inside,outside) interface tcp 443 192.168.0.243 tcp 443 netmask 255.255.255.255

Static (inside,outside) interface tcp 25 192.168.0.11 tcp 25 netmask 255.255.255.255

????

Because it should be like this

Static (inside,outside)  tcp interface  80 192.168.0.243 tcp 80 netmask 255.255.255.255

Static (inside,outside)  tcp interface 443 192.168.0.243 tcp 443 netmask 255.255.255.255

Static (inside,outside) tcp interface  25 192.168.0.11 tcp 25 netmask 255.255.255.255

Now regarding the SMTP issue, it was working before on the other ip address, so sounds more like an Server issue.

Just to confirm it lets do a capture

access-list capout permit tcp any host xx.xx.xx ( Interface ip address) eq 25

access-list capout permit tcp host xxx.xx.xx.(interface ip address) eq 25 any

access-list capin permit tcp any host 192.168.0.11 eq 25

access-list capit permit tcp host 192.168.0.11 eq 25 any

capture capout access-list capout interface outside

capture capin access-list capin interface inside

capture asp type asp-drop all

Then inittiate some traffic from the outside to the server SMTP

I want you to go to a PC on the inside interface and then to a browser and get me the pcap files of those captures.

https:/xx.xx.xx/capture/capin/pcap          The xxxxx is the ip of the inside interface of the asa

https:/xx.xx.xx/capture/capout/pcap        The xxxxx is the ip of the inside interface of the asa

Finally provide me the show capture asp and the two files you download from the PC into this discussion.

Do please rate helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
384
Views
0
Helpful
1
Replies
CreatePlease to create content