Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA 5510 NAT Issue

I am phasing out a Sonicwall 1260 with an ASA 5510 cluster. The Sonicwall uses PAT with a single public IP.

Email, VPN, ftp and other services are coming in through the wan interface and are port forwarded to their destination servers on the lan.

Today I was having an issue with getting services through the asa 7.2 os and the ACL kept blocking the connections.

I believe its down to the fact that the outside ip is the same as the IP the connections are going to eg the mx record points to the outside ip and any connections on port 25 are being dropped.

Am I doing something wrong or does the asa want to pat the internal network to one ip and have external connections come in on a seperate ip?

The .128 mask is down to the ISP and their setup and I dont have that many addresses available!

Any help appreciated

interface Ethernet0/0

description Link to LAN

speed 100

duplex full

nameif inside

security-level 100

ip address 192.1.1.252 255.255.255.0 standby 192.1.1.253

!

interface Ethernet0/1

description Link to ICE

speed 100

duplex full

nameif outside

security-level 0

ip address x.x.x.10 255.255.255.128 standby x.x.x.31

access-list outside_in extended permit tcp any host x.x.x.10 eq smtp

access-list outside_in extended permit icmp any any echo-reply

access-list outside_in deny ip any any log

access-group outside_in in interface outside

global (outside) 1 interface

nat (inside) 1 192.1.1.0 255.255.255.0

static (inside,outside) tcp x.x.x.10 smtp 192.1.1.12 smtp netmask 255.255.255.255

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: ASA 5510 NAT Issue

Change your static commands to include the keyword "interface" instead of x.x.x.10.

ex.

static (inside,outside) tcp interface smtp 192.1.1.12 smtp netmask 255.255.255.255

Please rate helpful posts.

4 REPLIES
Green

Re: ASA 5510 NAT Issue

Change your static commands to include the keyword "interface" instead of x.x.x.10.

ex.

static (inside,outside) tcp interface smtp 192.1.1.12 smtp netmask 255.255.255.255

Please rate helpful posts.

Community Member

Re: ASA 5510 NAT Issue

I'll try this out next week when I'm back on site. Legend if it works.

I'll let you know

Thanks

Community Member

Re: ASA 5510 NAT Issue

And I believe that your acl should be like this,

access-list outside_in extended permit tcp any host 192.1.1.12 eq smtp

Green

Re: ASA 5510 NAT Issue

No, your acl is correct as you had it.

142
Views
4
Helpful
4
Replies
CreatePlease to create content