08-04-2008 11:28 AM - edited 03-11-2019 06:25 AM
I have a 501 with PAT configured. When my exchange server sends SMTP traffic outbound I would like it to advertise to address x.x.x.219 all destops and non-smtp traffic should advertise as x.x.x.218. I thought when I do my static map it should use that IP address. I included my ACL, Static, adn NAT statements, any help is appreciated.
access-list SVCS permit tcp any host X.X.X.218 eq www
access-list SVCS permit tcp any host X.X.X.219 eq smtp
access-list SVCS permit tcp any host X.X.X.218 eq ftp
access-list SVCS permit tcp any host X.X.X.218 eq https
access-list SVCS permit tcp any host X.X.X.218 eq 90
access-list SVCS permit tcp any host X.X.X.218 eq 91
access-list SVCS permit tcp any host X.X.X.218 eq 92
access-list SVCS permit tcp any host X.X.X.218 eq 93
access-list SVCS permit tcp any host X.X.X.218 eq 94
access-list SVCS permit tcp any host X.X.X.218 eq 95
ip address outside X.X.X.218 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip verify reverse-path interface outside
global (outside) 1 interface
nat (inside) 0 access-list NoNat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp X.X.X.218 www 192.168.1.254 www netmask 255.255.255
.255 0 0
static (inside,outside) tcp X.X.X.219 smtp 192.168.1.254 smtp netmask 255.255.2
55.255 0 0
static (inside,outside) tcp X.X.X.218 ftp 192.168.1.254 ftp netmask 255.255.255
.255 0 0
static (inside,outside) tcp X.X.X.218 https 192.168.1.254 https netmask 255.255
.255.255 0 0
static (inside,outside) tcp X.X.X.218 90 192.168.1.254 90 netmask 255.255.255.2
55 0 0
static (inside,outside) tcp X.X.X.218 91 192.168.1.254 91 netmask 255.255.255.2
55 0 0
static (inside,outside) tcp X.X.X.218 92 192.168.1.254 92 netmask 255.255.255.2
55 0 0
static (inside,outside) tcp X.X.X.218 93 192.168.1.254 93 netmask 255.255.255.2
55 0 0
static (inside,outside) tcp X.X.X.218 94 192.168.1.254 94 netmask 255.255.255.2
55 0 0
static (inside,outside) tcp X.X.X.218 95 192.168.1.254 95 netmask 255.255.255.2
55 0 0
route outside 0.0.0.0 0.0.0.0 X.X.X.1 1
Solved! Go to Solution.
08-04-2008 04:49 PM
Hi ..
Ok first of all .. when you use the IP address of the firewall for PAT or static NAT you have to use the interface command instead of the IP address .. i.e
For inbound traffic:
static (inside,outside) tcp interface www 192.168.1.254 www netmask 255.255.255.255
the same with entries for the ACL .. i.e access-list abc permit tcp any interface eq www
access-group abc in interface outside
In regards to outbound smtp traffic I suggest trying the below
global (outside) 1 x.x.x.219 netmask 255.255.255.255
nat (inside) 1 access-list SMTP-ONLY
access-list SMTP-ONLY permit tcp host 192.168.1.254 any eq 25
access-list SMTP-ONLY permit tcp host 192.168.1.254 eq 25 any * You might not need this entry .. I can't test it right now .. it won't hurt to have there anyway
For any other traffic
global (outside) 2 interface
nat (inside) 2 0.0.0.0 0.0.0.0 0 0
I am not sure what you are trying to achieve with your nat (inside) 0 access-list NoNat command .. I suggest removing it if you were just testing things out. Also don't forget to do clear xlate after the changes.
I hope it helps .. please rate helpful posts
08-04-2008 11:43 AM
Hi,
Your config seems ok.
Except putting the access-list to the interface, which I belive you have already done.
access-group SVCS in interface Outside
08-04-2008 11:50 AM
Yes, applied and inbound traffic comes inbound on .219 just fine.
The exchange server keeps showing up as .218. Did a clear xlate, rebooted...does not seem to want to send SMTP traffic as .219
Based on another article I tried do an access list for the NAT as well. I tried putting a deny on the 192.168.1.254 adn permit 192.168.1.0 but didn't seem to have any luck with that as well - same results.
Any debugs you can recommend to see the traffic flow from the server?
08-04-2008 04:49 PM
Hi ..
Ok first of all .. when you use the IP address of the firewall for PAT or static NAT you have to use the interface command instead of the IP address .. i.e
For inbound traffic:
static (inside,outside) tcp interface www 192.168.1.254 www netmask 255.255.255.255
the same with entries for the ACL .. i.e access-list abc permit tcp any interface eq www
access-group abc in interface outside
In regards to outbound smtp traffic I suggest trying the below
global (outside) 1 x.x.x.219 netmask 255.255.255.255
nat (inside) 1 access-list SMTP-ONLY
access-list SMTP-ONLY permit tcp host 192.168.1.254 any eq 25
access-list SMTP-ONLY permit tcp host 192.168.1.254 eq 25 any * You might not need this entry .. I can't test it right now .. it won't hurt to have there anyway
For any other traffic
global (outside) 2 interface
nat (inside) 2 0.0.0.0 0.0.0.0 0 0
I am not sure what you are trying to achieve with your nat (inside) 0 access-list NoNat command .. I suggest removing it if you were just testing things out. Also don't forget to do clear xlate after the changes.
I hope it helps .. please rate helpful posts
08-05-2008 04:57 AM
Inbound traffic is working fine with the IP address without the interface command. Being a newbie, if you could provide some insight as to why to use the interface command rather than the IP to help my logic down the line, that would be great. The Global statements and Access Lists were right on. I applied them and mail starting flowing with the .219 address immediatly after my clear xlate. Thanks again.
08-06-2008 03:59 AM
Hi ..
I am glad to hear the issue was resolved. In regards to your question
"if you could provide some insight as to why to use the interface command rather than the IP to help my logic down the line"
Actually .. interface can be used to refer to the firewall's IP address when for instance it is dynamically assigned by DHCP and therefore constantly changing. So .. otherwise the use of the IP address is OK.
Cheers,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: