11-05-2014 02:49 AM - edited 03-11-2019 10:01 PM
Here are i want o access internet of my lan users having subnet 172.16.20.0/24
and inside firewall ip is 192.168.11.249/24
outside ip is 125.209.70.88/24
and i also attached a diagram with the ip,s
11-06-2014 04:09 AM
Add below access lists with whatever source and destination you need to restrict
access-list 102 extended permit tcp <source> <destination> eq 995
access-list 102 extended permit tcp <source> <destination> eq 465
11-06-2014 04:26 AM
access-list 102 extended permit tcp 172.16.20.0 117.102.8.90 eq 995
access-list 102 extended permit tcp 172.16.20.0 117.102.8.90 eq 465
i need to run outlook of lan users having subnet 172.16.20.0/24 and after that is apply
access-group 102 in interface inside ?
11-06-2014 06:08 AM
11-06-2014 08:51 PM
11-08-2014 10:43 PM
I can only see the ports in your configuration ,what is the incoming and outgoing mailserver name/IP configured in your outlook, If its name and not an IP then how the name resolution will happen, do you have an inside DNS server ?
Thanks,
Prashant Joshi
11-10-2014 01:18 AM
Thanks Joshi
i have Incoming server 174.142.165.146 Outgoing Server 174.142.165.146.
And these are outside over the internet anywhere but not in our LAN network and there is no DNS server.
11-10-2014 03:05 AM
Hi,
kindly provide me below output :
packet-tracer input inside tcp 172.16.20.10 5656 174.142.165.146 995 det
packet-tracer input inside tcp 172.16.20.10 5656 174.142.165.146 465 det
Prashant Joshi
11-10-2014 04:13 AM
11-10-2014 07:25 PM
you need to remove below NAT exempt ( it means for all inside users ASA will not perform a NAT)
nat (inside) 0 0.0.0.0 0.0.0.0
If you need to perform NAT exempt, you need to be specific like
access-list nonat permit 10.10.10.0 255.255.255.0 11.11.11.0 255.255.255.0
nat (inside) 0 access-list nonat
Thanks,
Prashant Joshi
11-11-2014 04:02 AM
These are the nat commands that i configured
nat-control
global (Outside) 1 interface
nat (DMZ) 1 10.1.1.0 255.255.255.0
nat (inside) 0 access-list no-nat
static (DMZ,Outside) tcp interface www 10.1.1.254 www netmask 255.255.255.255
static (DMZ,Outside) tcp interface https 10.1.1.254 https netmask 255.255.255.255
static (DMZ,Outside) tcp interface 8888 10.1.1.245 8888 netmask 255.255.255.255
static (DMZ,Outside) tcp interface pop3 10.1.1.254 pop3 netmask 255.255.255.255
static (inside,DMZ) 10.1.1.0 192.168.11.0 netmask 255.255.255.0
11-11-2014 05:34 AM
Add below NAT policy for inside users
nat (inside) 1 172.16.20.0 255.255.255.0
and if it doesn't work provide packet tracer output again.
Prashant Joshi
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
access-list 102 extended permit tcp 172.16.20.0 255.255.255.0 117.102.8.90 eq 995
access-list 102 extended permit tcp 172.16.20.0 255.255.255.0 117.102.8.90 eq 465
access-group 102 in interface inside