Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA V8.6 - Dynamic PAT users working but not static IPs

I'm trying to configure an ASA to replace my last PIX.  Since the last ASA I did the language has changed.  What we have are about two hundred normal users that need to surf and share one public IP from the ISP to get it done.  I have about a few boxes inside the network that must have static public IPs.  Some just need the IP whereas one is the SMTP server and two are web servers.

I am trying to get this in place by testing in this order: 1.normal surfing 2.SMTP 3.Web Servers.  To test, at lunch I have been altering the last resort address on our internal router to point to the new firewall rather than the old.  The config below works for the normal users to surf and their outside address shows 222.222.222.15 as it should to external websites.  The smtp server however doesn't flow mail or hit the outside web to go to google.  I think if I figure this out, I can just mimic the proper settings to get my Web Servers working.  Any Ideas?  Thanks for your help.

(All addresses have been changed to protect the innocent.)

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 222.222.222.4 255.255.255.224
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 172.16.66.66 255.255.0.0
!
ftp mode passive
object network obj_172.16.25.70
 host 172.16.25.70
object network OUT_PAT
 host 222.222.222.15
object-group network FRU_PAT
 network-object 172.16.0.0 255.255.0.0
 network-object 192.168.1.0 255.255.255.0
 network-object 192.168.5.0 255.255.255.0
object-group network obj_Post
 network-object 231.25.83.0 255.255.255.0
 network-object 223.15.24.0 255.255.255.0
 network-object 234.15.25.0 255.255.255.0
access-list out_to_in extended permit tcp object-group obj_Post host 172.16.25.70 eq smtp
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_172.16.25.70
 nat (inside,outside) static 222.222.222.8
!
nat (inside,outside) after-auto source dynamic FRU_PAT OUT_PAT
access-group out_to_in in interface outside
route outside 0.0.0.0 0.0.0.0 222.222.222.1 1
route inside 192.168.1.0 255.255.255.0 172.16.25.27 1

route inside 192.168.5.0 255.255.255.0 172.16.25.27 1

class-map inspection_default
 match default-inspection-traffic
!

Policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global

1 REPLY

So you are not able to browse

So you are not able to browse the internet from the SMTP server either?

Your configuration looks fine at first glance.  could you run a packet tracer and post the output here.

packet-tracer input inside tcp 172.16.25.70 12345 4.2.2.2 80

You might also want to issue a clear xlate to purge all the existing NAT translations.  I have seen old translations mess with new configurations.  Just remember to do this outside of normal working hours or in a service window as users will lose their connection to the internet and will need to reconnect.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
50
Views
0
Helpful
1
Replies
CreatePlease to create content