Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

DID ASA internal ip 129.0.0.0/23 will create problems when using with PAT?

we are using 129.0.0.0/23 as internal ip (followed for long time). Now an ASA 5510 has been installed and translated to the public ip.

An access-list is created as follows

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 any any

object-group service DM_INLINE_SERVICE_7

service-object tcp eq domain

service-object tcp eq www

service-object tcp eq https

service-object tcp eq pop3

service-object tcp eq smtp

service-object udp eq domain

service-object tcp eq 3389

and applied to the inward direction in outside interface

access-group outside_access_in in interface outside

in this case everything is working fine.

when i apply this access-list to the particular internal subnet, the exchange mails were not forwared from outside to inside exchange server (129.0.0.12)..

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 any 129.0.0.0 0.0.1.255 (internal subnet)

Did the ASAs won't work with this type of ip addressing? Does the ASA internal subnet to be readdressed to private ip address or not?

Can any one pl guide us?

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: DID ASA internal ip 129.0.0.0/23 will create problems when u

there is no bug - your configuration is incorrect. The any to any command works as you are not filtering on any specific IP address.

if you have specific static NAT statements for the inside servers - you need to change the access-list to reflect the static outside IP address, eg:-

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 any <>

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 any <>

or

access-list outside_access_in extended permit tcp any host <> eq www

access-list outside_access_in extended permit tcp any host <> eq smtp

9 REPLIES

Re: DID ASA internal ip 129.0.0.0/23 will create problems when u

Your access-list mask comment looks incorrect, try:-

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 any 129.0.0.0 255.255.254.0

HTH>

New Member

Re: DID ASA internal ip 129.0.0.0/23 will create problems when u

Thanks.

I am applying these through ASDM.

the following is the correct applied access-list.

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 any 129.0.0.0 255.255.254.0

I have checked once again with this access-list. mails were not received.

any to any is working.

any to this subnet not working.

Any suggesstions pl.

Re: DID ASA internal ip 129.0.0.0/23 will create problems when u

Are you natting from the outside in? If so, you need to replace the 129.0.0.x address with the NAT address??

Post your sanitised config please?

New Member

Re: DID ASA internal ip 129.0.0.0/23 will create problems when u

Presently i do not have the run config.

I am doing inside network to outside like

nat (inside) 2 129.0.0.0

global (outside) 2 public ip

Re: DID ASA internal ip 129.0.0.0/23 will create problems when u

do you have anyother NAT statements?

New Member

Re: DID ASA internal ip 129.0.0.0/23 will create problems when u

NO.

But have static command with different public ips for exchange and web servers.

I am confused.

because this should work with particular subnet. any to any working.

Is there any bug?.

Re: DID ASA internal ip 129.0.0.0/23 will create problems when u

there is no bug - your configuration is incorrect. The any to any command works as you are not filtering on any specific IP address.

if you have specific static NAT statements for the inside servers - you need to change the access-list to reflect the static outside IP address, eg:-

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 any <>

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 any <>

or

access-list outside_access_in extended permit tcp any host <> eq www

access-list outside_access_in extended permit tcp any host <> eq smtp

New Member

Re: DID ASA internal ip 129.0.0.0/23 will create problems when u

yes it is working

New Member

Re: DID ASA internal ip 129.0.0.0/23 will create problems when u

thanks i will apply and give a feedback

303
Views
0
Helpful
9
Replies
CreatePlease to create content