02-20-2012 01:42 PM - edited 03-11-2019 03:32 PM
Hi Guys
have a question. I have a ASA5510 with IOS version 8.2 . I have my firewall and behind it also have a mail server eg 192.168.1.x. When i send email from inside network it doesn't show as if it's coming grom the out side nated public IP of my server but IP of firewall. What am i missing my example nat statements are . Nat-control is disabled.
static (inside,outside) 196.68.99.x 192.168.1.x netmask 255.255.255.255
access-list inbound extended permit tcp any host 196.68.99.x eq 225
accesslist outbound extended permit host 192.168.1.x host 196.68.99.x
Solved! Go to Solution.
02-21-2012 12:42 AM
Hi Chigumbab,
Nope that would not work, because you have just done port forwarding and allowed only specfic ports on the xx.xx.xx.150 ip address, so the DNS traffic would definitely be natted to the outside interface, because of the nat-global statements that you have, just as a workaround add the statement at the end of all the statics :
static (inside,outside) tcp x.x.x.150 smtp x.x.x.20 smtp netmask 255.255.255.255
static (inside,outside) tcp x.x.x.150 587 x.x.x.20 587 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.150 pop3 x.x.x.20 pop3 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.150 3389 x.x.x.20 3389 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.150 1433 x.x.x.20 1433 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.150 3306 x.x.x.20 3306 netmask 255.255.255.255
static (inside,outside) x.x.x.150 x.x.x.20
and now if the server goes to the internet, it should show the IP x.x.x.150
Don't worry it would not allow any other ports to be opened as you have restricted the incoming ports through the ACL.
Hope that helps.
Thanks,
Varun
02-20-2012 06:44 PM
You don't need 'accesslist outbound extended permit host 192.168.1.x host 196.68.99.x'. Remove this and clear the existing translate for the internal IP (clear xlate local 192.168.1.x) and see if that fix the issue.
Thx
MS
02-20-2012 10:52 PM
Hi
Thank you for the reply. I tried that but it didn't work. What else do you suggest i try?
02-20-2012 11:40 PM
Hi,
can you provide me the output of:
packet-tracer input outside tcp 4.2.2.2 23456 196.68.99.x 80 detailed
and also can you provide the running config from the ASA, you can hide the ip's if you want.
Thanks,
Varun
02-21-2012 12:06 AM
02-21-2012 12:23 AM
Hello Chigumbab,
Its nice to see you after a while as well
I checked the packet tracer and it is allowing all the packets, are all the ports not working or only some specific??
Can you take captures on the asa.
access-list cap permit tcp host xx.xx.xx.150 any
access-list cap permit tcp any host xx.xx.xx.150
access-list cap permit tcp any host xx.xx.xx.20
access-list cap permit tcp host xx.xx.xx.20 any
capture capin access-list cap interface inside
capture capo access-list cap interface outside
Then generate some traffic and collect the output of "show cap capin" and "show cap capo"
It would be interesting to see where the packets are being dropped.
Thanks,
Varun
02-21-2012 12:29 AM
Hi Varun
It's allowing the packets in and out that's working fine but my issue is, for reverse DNS on the mail server, traffic originating from internal ip x.x.x.20 on 25 is showing as if it's coming from the Firewall external IP which is x.x.x.253 instead of x.x.x.150. I want traffic coming from the internal IP x.x.x.20 to be natted and goes out via it's nated public IP x.x.x.150 and not the firewall external IP x.x.x.253
02-21-2012 12:42 AM
Hi Chigumbab,
Nope that would not work, because you have just done port forwarding and allowed only specfic ports on the xx.xx.xx.150 ip address, so the DNS traffic would definitely be natted to the outside interface, because of the nat-global statements that you have, just as a workaround add the statement at the end of all the statics :
static (inside,outside) tcp x.x.x.150 smtp x.x.x.20 smtp netmask 255.255.255.255
static (inside,outside) tcp x.x.x.150 587 x.x.x.20 587 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.150 pop3 x.x.x.20 pop3 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.150 3389 x.x.x.20 3389 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.150 1433 x.x.x.20 1433 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.150 3306 x.x.x.20 3306 netmask 255.255.255.255
static (inside,outside) x.x.x.150 x.x.x.20
and now if the server goes to the internet, it should show the IP x.x.x.150
Don't worry it would not allow any other ports to be opened as you have restricted the incoming ports through the ACL.
Hope that helps.
Thanks,
Varun
02-21-2012 01:06 AM
Thanks Varun, you are the man!!!!!!!
02-21-2012 01:08 AM
Hey thats great!!!! hope to see you soon.
Varun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide