Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
340
Views
4
Helpful
4
Replies

ASA 5510 NAT Issue

Go to solution
kinskins01
Level 1
Level 1

‎08-16-2007 11:24 AM - edited ‎03-11-2019 03:58 AM

I am phasing out a Sonicwall 1260 with an ASA 5510 cluster. The Sonicwall uses PAT with a single public IP.

Email, VPN, ftp and other services are coming in through the wan interface and are port forwarded to their destination servers on the lan.

Today I was having an issue with getting services through the asa 7.2 os and the ACL kept blocking the connections.

I believe its down to the fact that the outside ip is the same as the IP the connections are going to eg the mx record points to the outside ip and any connections on port 25 are being dropped.

Am I doing something wrong or does the asa want to pat the internal network to one ip and have external connections come in on a seperate ip?

The .128 mask is down to the ISP and their setup and I dont have that many addresses available!

Any help appreciated

interface Ethernet0/0

description Link to LAN

speed 100

duplex full

nameif inside

security-level 100

ip address 192.1.1.252 255.255.255.0 standby 192.1.1.253

!

interface Ethernet0/1

description Link to ICE

speed 100

duplex full

nameif outside

security-level 0

ip address x.x.x.10 255.255.255.128 standby x.x.x.31

access-list outside_in extended permit tcp any host x.x.x.10 eq smtp

access-list outside_in extended permit icmp any any echo-reply

access-list outside_in deny ip any any log

access-group outside_in in interface outside

global (outside) 1 interface

nat (inside) 1 192.1.1.0 255.255.255.0

static (inside,outside) tcp x.x.x.10 smtp 192.1.1.12 smtp netmask 255.255.255.255

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
acomiskey
Level 10
Level 10

‎08-16-2007 11:30 AM

Change your static commands to include the keyword "interface" instead of x.x.x.10.

ex.

static (inside,outside) tcp interface smtp 192.1.1.12 smtp netmask 255.255.255.255

Please rate helpful posts.

View solution in original post

4 Replies 4

Go to solution
acomiskey
Level 10
Level 10

‎08-16-2007 11:30 AM

Change your static commands to include the keyword "interface" instead of x.x.x.10.

ex.

static (inside,outside) tcp interface smtp 192.1.1.12 smtp netmask 255.255.255.255

Please rate helpful posts.

Go to solution
kinskins01
Level 1
Level 1
In response to acomiskey

‎08-16-2007 10:52 PM

I'll try this out next week when I'm back on site. Legend if it works.

I'll let you know

Thanks

0 Helpful

Go to solution
rigoberto.cintron
Level 1
Level 1

‎08-16-2007 12:25 PM

And I believe that your acl should be like this,

access-list outside_in extended permit tcp any host 192.1.1.12 eq smtp

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to rigoberto.cintron

‎08-16-2007 01:03 PM

No, your acl is correct as you had it.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card