• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 689
  • Last Modified:

Static Mapping Network Traffic - ASA 5510

Dear Experts,

I have a server outside the network that is used for accounting.
We connect directly to this network via an ISDN line and a simple IBM Router that is pushing all traffic from the inside interface destined for packets 10.x.1.9 via the IBM router which is addressed within our Insdie Interface

In this example I am not using the OUTSIDE Interface of my Cisco 5510 at all.

I just want my internal Accounting department to be able to get to their precious server located in someone else's house.

Here is my running config:

(NOTE:  I have a static route setup)

Route INSIDE 10.x.1.0 2

When I attempt a tracert to the network I don't get anywhere but I can ping (probably because the router is connected directly to the same switch that my client is connected, but the Cisco isn't letting packets get to the AS400 network for some reason).


asdm image disk0:/asdm505.bin
asdm location WTS1 inside
asdm location JRA-XSERVE1 inside
asdm location ATROPOS inside
no asdm history enable
: Saved
ASA Version 7.0(5)
hostname ciscoasa
domain-name jrabbott.com
enable password 1q1dWhr/XLfzW0/Y encrypted
name WTS1 description Citrix Server
name ATROPOS description Database Server
name JRA-XSERVE1 description MAIL SERVER
interface Ethernet0/0
 description ISP / Route
 nameif outside
 security-level 0
 ip address 208.x.x.100
interface Ethernet0/1
 description Network Traffic
 nameif inside
 security-level 100
 ip address
interface Ethernet0/2
 description Web Application Server / Front-End Exchange Server
 nameif Exchange
 security-level 50
 ip address
interface Ethernet0/3
 no nameif
 security-level 0
 no ip address
interface Management0/0
 nameif management
 security-level 100
 ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone pst -8
same-security-traffic permit inter-interface
object-group service RDP tcp-udp
 description Remote Desktop (Terminal Services)
 port-object range 3389 3389
access-list INBOUND extended permit tcp any interface outside eq smtp
access-list INBOUND extended permit tcp any interface outside eq www
access-list INBOUND extended permit tcp any interface outside eq pop3
access-list INBOUND extended permit tcp any interface outside eq imap4
access-list INBOUND extended permit tcp any interface outside eq 993
access-list INBOUND extended permit tcp any interface outside eq 88
access-list INBOUND extended permit tcp any interface outside eq ldap
access-list INBOUND extended permit tcp any interface outside eq ldaps
access-list INBOUND extended permit tcp any interface outside eq 3389
access-list INBOUND extended permit tcp any interface outside eq 1604
access-list INBOUND extended permit tcp any interface outside eq citrix-ica
access-list INBOUND extended permit icmp any any echo-reply
access-list INBOUND extended permit icmp any any unreachable
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu Exchange 1500
mtu management 1500
no failover
monitor-interface outside
monitor-interface inside
monitor-interface Exchange
monitor-interface management
asdm image disk0:/asdm505.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
nat (management) 0
static (inside,outside) tcp interface smtp JRA-XSERVE1 smtp netmask
static (inside,outside) tcp interface www JRA-XSERVE1 www netmask
static (inside,outside) tcp interface pop3 JRA-XSERVE1 pop3 netmask
static (inside,outside) tcp interface imap4 JRA-XSERVE1 imap4 netmask
static (inside,outside) tcp interface 993 JRA-XSERVE1 993 netmask
static (inside,outside) tcp interface 88 JRA-XSERVE1 88 netmask
static (inside,outside) tcp interface ldap JRA-XSERVE1 ldap netmask
static (inside,outside) tcp interface ldaps JRA-XSERVE1 ldaps netmask
static (inside,outside) tcp interface 3389 ATROPOS 3389 netmask
static (inside,outside) tcp interface 1604 WTS1 1604 netmask
static (inside,outside) tcp interface citrix-ica WTS1 citrix-ica netmask
static (Exchange,outside) 208.x.x.99 netmask
access-group INBOUND in interface outside
route outside 208.x.x.97 1
route inside 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcprelay server outside
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
: end

As an aside I am having trouble with my email through the IMAP clients as well - any thoughts about why that would be bad?
All ports opened and configured I can only think that maybe my local DNS needs to change, but I can't get mail to my clients but they can send email out through the server.

Anyway, thanks to all of you.
Very helpful people.

  • 5
  • 4
1 Solution
firewall thing first,

let me get this straight, is this how your network is laid out

                 LAN <-> Router -> AS400 network

And the ASA as the network gateway.  If this is how it is laid out then you cannot ever get to it.  The ASA is not a router, its a security device.  A packet cannot go in and then out the same interface.  You'd either need to reconfigure the network to use another interface on the ASA and run the traffic thru that, add a simple router to the network with the appropriate routes added to it, or configure the ibm router with everything and make that the gateway.
as for the imap issue, any log messages.  hard to help with so little information.  if suspect dns run,
nslookup <fqdn of imap server>
and see if it resolves correctly. to ensure port is open run
telnet <ip of imap server> 143
do you use ssl, etc.  just need for information
Go into the Cisco setup and setup the AS400 IP domain as a DMZ on the cisco.  Now the PCs that need to address this second IP domain ca, simply by using the direct address --

xcopy C:\*.* \\10.x.1.9\AS400\user\dir\backup\ /s/e

and you substitute x for the real IP address you want to access, it ust be a reachable IP for this to work.
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

peter_ophovenAuthor Commented:
If the ASA is configured as the default gateway for my LAN and for my users on the network can't I just specify the IP's that are destined for that subnet are to be directed to that router.

This seems like a very simple request I find it hard to believe that the device is incapable of handling this type of configuration.

you'd have to push out route add's for all of the clients.  Cisco does security differently and like I mentioned before, the ASA is a security device, not a routing device.  thus you can't do this with a Cisco firewall
peter_ophovenAuthor Commented:
But as you mentioned I could use a separate interface on the ASA.

Create an interface that specifically routes data from inside the LAN directly to the IBM Router.

IP address:
Security would be 50

And then connect the IBM Router Ethernet directly to the interface port on the ASA.

I would have to give it a different IP address since I cannot have the same IP subnet be associated with a different interface than the INSIDE interface which is already configured as

I could reconfigure the IBM router to an id of and then give this new interface and then create a Static Route for all traffic destined for 10.x.x.0 to go through the ACCOUNTING Interface.

Would this work - or would the route be a "directly connected" static route?

             ASA----IBM ROUTER --- AS400
you'd need to make the static route on the ASA so that it knows where to find that network otherwise it'll use the default route that is setup.  you're on the right track

the other part of the setup would be
static (inside,accouting) netmask
static (accounting,inside) netmask
clear xlate

those entries will ensure that translations can occur (although its effectively a nonat between the two interfaces).  you don't need to add acls either as the implicit rules will allow for the traffic to pass.  the clear xlate just clears the translation table to ensure that there is no confusions with old translation mappings
peter_ophovenAuthor Commented:
Based upon my running configuration - wouldn't it be:

Outside Inteface = 208.xxx.xxx.100
Insdie Interface =
DMZ / Exchange =
Accounting Interface =

static (inside,accounting) netmask
static (accounting,inside) netmask
!!! since my inside interface is and my accounting interface is

!!!and then my static route (to tell the asa "don't send this traffic to the default route")
route inside 10.x.x.0 1 (metric 1)

assuming the IBM router IP is changed to
assuming the AS400 is 10.x.x.0 and available

Then my clients will be able to connect via this method?

yup, sorry, i accidentally looked at the wrong interface when I grabbed the ip

the other thing though is
route inside 10.x.x.0 1
should be
route accounting 10.x.x.0 1

this is since it will find the next hop out the accounting interface.  your clients should then be able to communicate
peter_ophovenAuthor Commented:
You rock Cyclops.
I thought about the Accounting interface for my static route, and I was going to ask but I figured you would correct me.


I will try and let you know how it all goes.  Lots to do.
Little time in a production environment.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now