• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 849
  • Last Modified:

Cisco 5505 Nat problem

i have just got a new firewall (Cisco ASA 5505)
users from the internal site, can connect through it and use the internet.
on my internal Lan, i have a Exchange server, that i want to NAT all the incomminig smtp traffic to.
I have tried with the command that i used with our previous Firewall (PIX 501).but they doesn't seem to work.
any one who can figure it out.

User Access Verification

Type help or '?' for a list of available commands.
firewall> ena
Password: ********
firewall# sho
firewall# show run
firewall# show running-config
: Saved
ASA Version 7.2(2)
hostname firewall
domain-name unitaras.local
enable password 9ydlMgJM/r1fIjYr encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
 switchport access vlan 3
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name unitaras.local
access-list outside-access_in extended permit tcp any host eq smt
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
static (inside,outside) tcp smtp smtp netmask 255.255
access-group outside-access_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address inside

class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
prompt hostname context
: end
  • 3
  • 2
1 Solution
I'm assuming you only have one public IP address to use since you're trying to use the outside interface IP on your static translation.  If this is true, change these commands:

access-list outside-access_in extended permit tcp any host eq smtp
static (inside,outside) tcp smtp smtp netmask

to these:

access-list outside-access_in extended permit tcp any interface outside eq smtp
static (inside,outside) tcp interface smtp smtp netmask

and see what you get...
i would do this a different way.
take out your current static command and replace it with

static (inside,outside)

it looks like you were trying to port forward AND also have an access-list.   just use the static as a nat
I wouldn't do since that performs a one-to-one static NAT for all TCP/UDP ports to go from the firewall's outside interface to an inside host.  This would be OK if you had a separate public IP address to use for the static NAT, but from your configuration, you don't have this option.
no it does not.  not at all.  that is what teh access-list is for.  you open up the neccessary ports witht e access-list.  the one to one static ONLY create the translation.  with out the access-lists the box cannot be hit.  AT ALL
Freya, I did not mean to imply that it ALLOWS ALL ports inbound by creating the one-to-one static xlate, just that it would set up (not allow or permit) port forwarding for all ports when traffic is directed to the firewall's outside interface IP address.  You are correct in that the ACL actually allows the traffic on those ports, but using a one-to-one like you suggest doesn't let the user use any other inside IP addresses for other ports to be forwarded to in the future...they may want that if they only have the one useable IP...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now