Note: Both 24.172.X.X address are on the same subnet

I need both servers to send mail traffic back and forth.

Hello Jason,

They are on different subnets, but they get natted to the same Ip address, right? because inside is 10.x.x.x.x and dmz is x.x.x.x

The configuration would be:

static (inside,outside) tcp 24.172.x.x  2525 10.10.x.58 25

static (dmz,outside) tcp 24.172.x.x  25  x.x.x.x.x

Access-list outside_ in permit tcp any host 24.172.x.x eq 25

Access-list outside_ in permit tcp any host 24.172.x.x eq 2525

access-group outside_in in interface outside

Please rate helpful posts.

Regards,

Julio

Both 24.x.x.x address are on the same subnet. They are public IP addresses.

I have a outside, inside, and dmz namifs

I only have a ip address assigned to the outside and inside interface.

Hello Jason,

I know both 24.xx.xx.xx are on the same subnet, the ASA got to have different ip address configured on each interface ( it will separate the broadcast domain) unless you have an asa 5505 witch I think is the one you have.

Ok so to if you want to create this task this is what you need to do:

To allow just inbound traffic to the servers

-Provide a different private ip address to each server locally

-Create a port-forwarding rule for each server ( nat the local private ip address to the 24.x.x.x on the outside)

-Allow inbound access to the public ip address/port those servers on the outside.

To allow bi-directional traffic:

-Do a static one to one (Private ip address of the server / Public)

-Allow inbound access to the public ip address.

Regards,

Julio

Thanks for your help but I'm having a hard time following what you are trying to say. The IP scheme can not change and I know how to NAT private IP space for a DMZ.

I think the soultion would be to put a switch connected to the modem and then connect the ASA and spam server to the switch.

Hi Jason,

Based on your diagram -

Internet is your 'Outside' interface for the ASA (IP- 24.172.x.x)

DMZ will be another interface and the IP for the interface will be something like 10.x.x.x and all the hosts/server on DMZ will have ip 10.x.x.x.x with ASA DMZ interface as gateway. In general, the servers in the DMZ will be advertised to Internet with your public IP (24.172.x.x) using 'Static Nat' statements.

Inside is your Users segment / LAN.

So now the question is what is the physical address assigned to SPAM filter server? If it is 24.172.x.x- then you need to modify the diagram- as it is on the 'outside' interface of the ASA.

Being said that- Julio already provided you with solution. If you still have issues, please post correct topology.

hth

MS

Correct soultion:

Add a switch after the internet modem and connect the ASA and the spam filter to the switch. Then add a ACL to allow the spam filter's IP address to come to the inside network.