Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problem moving NAT from Internet router to ASA 5505 for internal mail serve

Hi all,

I am indroducing an ASA 5505 in my network which currently has NAT done on the Internet router conecting to the ISP. They are static NAT entries mapping to a mail server inside the network.

I now want to do NAT and also move the static entries to the mail on the ASA 5505 but I have only one public IP which is set on the outside of the Internet router.

Is there a way to get this work? Thanks for helping

1 REPLY

Re: Problem moving NAT from Internet router to ASA 5505 for inte

Yes there is always a way with Cisco..:)

Say you need webserver port 80, RDP, and other mail TCP ports , say local mail server is 10.20.20.100 and only have outside interface as your only public IP address. In this example PLS apply the same principle for Mail ports tcp or upd etc..

static (inside,outside) tcp interface www 10.20.20.100 www netmask 255.255.255.255

static (inside,outside) tcp interface 3389 10.20.20.100 3389 netmask 255.255.255.255

static (inside,outside) tcp interface ftp 10.20.20.100 ftp netmask 255.255.255.255

static (inside,outside) tcp interface 21 10.20.20.100 23 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any interface outside eq www log

access-list outside_access_in extended permit tcp any interface outside eq 3389 log

access-list outside_access_in extended permit tcp any interface outside eq ftplog

access-list outside_access_in extended permit tcp any interface outside eq 23 log

access-group outbound_access_in in interface outside

or create a tcp service object group called mail_server_TCP and only use one inbound acl line using that object group

object-group service mail_server_TCP tcp

group-object eq www

port-object eq 3389

port-object eq ftp

port-object eq 23

access-list outside_access_in extended permit tcp any interface outside object-group mail_server_TCP

access-group outbound_access_in in interface outside

Use these examples bellow as ferences but keep in mind to use the keyword (interface) in your static NATs

and use the keyword ( interface outside ) in your inbound acls for using your outside interface public IP address.

Port Redirection(Forwarding) with nat, global, static

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml

Mail related links

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080683db5.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008067cf3b.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml

Regards

PLS rate post if it helped

246
Views
0
Helpful
1
Replies