Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Need help with PAT translation

I need to do a PAT translation for SMTP. I have a 3rd party company filtering mail for us. I only want to accept mail from there IP on our ASA. Do I need to create a PAT and an ACL?

Also, when I try and set the PAT up I get an error message. The 3rd party company gave me a range of ip addresses (208.65.144.0/21). I?m trying to translate that to my exchange server. The command I am using is ? static (outside,inside) tcp 10.132.13.27 smtp 208.65.144.0 smtp netmask 255.255.248.0

Can I not map a range of outside to a single inside?

Thanks for any help you can give me.

3 ACCEPTED SOLUTIONS

Accepted Solutions
Green

Re: Need help with PAT translation

You need to use a single address and your static is written wrong.

static (inside,outside) tcp 208.65.144.x smtp 10.132.13.27 smtp netmask 255.255.255.255

access-list outside_access_in permit tcp host <3rd.party.ip> host 208.65.144.x eq smtp

access-group outside_access_in in interface outside

Green

Re: Need help with PAT translation

That will work fine. Actually it would look like this...

static (inside,outside) tcp interface smtp 10.132.13.27 smtp netmask 255.255.255.255

Green

Re: Need help with PAT translation

Sure...

access-list outside_access_in permit tcp host <3rd.party.ip> host 12.104.x.x eq smtp

access-group outside_access_in in interface outside

Please rate helpful posts.

13 REPLIES
Green

Re: Need help with PAT translation

You need to use a single address and your static is written wrong.

static (inside,outside) tcp 208.65.144.x smtp 10.132.13.27 smtp netmask 255.255.255.255

access-list outside_access_in permit tcp host <3rd.party.ip> host 208.65.144.x eq smtp

access-group outside_access_in in interface outside

New Member

Re: Need help with PAT translation

Thanks for your response.

How can I take that range of ip addresses and make this work?

Green

Re: Need help with PAT translation

I'm not sure I understand. They are going to send you mail to every address in that whole subnet?

New Member

Re: Need help with PAT translation

I'm not sure why they gave me a range.

What is I create the pat to look like this-

static (inside,outside) tcp 0.0.0.0 smtp 10.132.13.27 smtp netmask 255.255.255.255

Then set the ACL up to only allow the ISP range to use port 25.

Will that work?

Green

Re: Need help with PAT translation

No way, that will not work.

Is 208.65.144.0/21 your range of ip's or is this the range of ip's where your 3rd party will send you mail from?

New Member

Re: Need help with PAT translation

Sorry, I didn't mean to say ISP. I meant the 3rd party for mail.

Green

Re: Need help with PAT translation

Sorry Mike, it just makes no sense to me. I would start by getting back to them and find out what the deal is. You cannot translate a single inside server address to multiple outside addresses.

New Member

Re: Need help with PAT translation

How about translating the ip address of the outside interface?

static (inside,outside) tcp 12.104.x.x smtp 10.132.13.27 smtp netmask 255.255.255.255

Green

Re: Need help with PAT translation

That will work fine. Actually it would look like this...

static (inside,outside) tcp interface smtp 10.132.13.27 smtp netmask 255.255.255.255

New Member

Re: Need help with PAT translation

Thank you.

From there can I create an acl to only allow the 3rd party to access port 25?

Green

Re: Need help with PAT translation

Sure...

access-list outside_access_in permit tcp host <3rd.party.ip> host 12.104.x.x eq smtp

access-group outside_access_in in interface outside

Please rate helpful posts.

New Member

Re: Need help with PAT translation

Thanks again. I really appreciate all your help.

Green

Re: Need help with PAT translation

No problem, hope everything works out.

148
Views
0
Helpful
13
Replies