Solved

Cisco 5505 Nat problem

Posted on 2007-11-26
5
838 Views
Last Modified: 2013-11-16
i have just got a new firewall (Cisco ASA 5505)
users from the internal site, can connect through it and use the internet.
on my internal Lan, i have a Exchange server, that i want to NAT all the incomminig smtp traffic to.
I have tried with the command that i used with our previous Firewall (PIX 501).but they doesn't seem to work.
any one who can figure it out.

User Access Verification

Password:
Password:
Password:
Type help or '?' for a list of available commands.
firewall> ena
Password: ********
firewall# sho
firewall# show run
firewall# show running-config
: Saved
:
ASA Version 7.2(2)
!
hostname firewall
domain-name unitaras.local
enable password 9ydlMgJM/r1fIjYr encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 62.242.245.158 255.255.255.252
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name unitaras.local
access-list outside-access_in extended permit tcp any host 62.242.245.158 eq smt
p
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 62.242.245.158 smtp 192.168.1.2 smtp netmask 255.255
.255.255
access-group outside-access_in in interface outside
route outside 0.0.0.0 0.0.0.0 62.242.245.157 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.254 inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:70d58e80a07c5a75664aa572b82bed65
: end
firewall#
 
0
Comment
Question by:kimhed
  • 3
  • 2
5 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 250 total points
ID: 20349984
I'm assuming you only have one public IP address to use since you're trying to use the outside interface IP on your static translation.  If this is true, change these commands:

access-list outside-access_in extended permit tcp any host 62.242.245.158 eq smtp
static (inside,outside) tcp 62.242.245.158 smtp 192.168.1.2 smtp netmask 255.255.255.255

to these:

access-list outside-access_in extended permit tcp any interface outside eq smtp
static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255

and see what you get...
0
 
LVL 12

Expert Comment

by:Freya28
ID: 20350098
i would do this a different way.
take out your current static command and replace it with

static (inside,outside) 62.242.245.158 192.168.1.2

it looks like you were trying to port forward AND also have an access-list.   just use the static as a nat
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20350172
I wouldn't do since that performs a one-to-one static NAT for all TCP/UDP ports to go from the firewall's outside interface to an inside host.  This would be OK if you had a separate public IP address to use for the static NAT, but from your configuration, you don't have this option.
0
 
LVL 12

Expert Comment

by:Freya28
ID: 20350199
no it does not.  not at all.  that is what teh access-list is for.  you open up the neccessary ports witht e access-list.  the one to one static ONLY create the translation.  with out the access-lists the box cannot be hit.  AT ALL
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20351450
Freya, I did not mean to imply that it ALLOWS ALL ports inbound by creating the one-to-one static xlate, just that it would set up (not allow or permit) port forwarding for all ports when traffic is directed to the firewall's outside interface IP address.  You are correct in that the ACL actually allows the traffic on those ports, but using a one-to-one like you suggest doesn't let the user use any other inside IP addresses for other ports to be forwarded to in the future...they may want that if they only have the one useable IP...
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Gmail Account risks 4 75
ACS vs NAC 2 71
Which the best UTM recommended ? 2 69
Do we do penetration & VA scans against SOC EVM event collector 5 68
Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
Read about achieving the basic levels of HRIS security in the workplace.
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…
Many functions in Excel can make decisions. The most simple of these is the IF function: it returns a value depending on whether a condition you describe is true or false. Once you get the hang of using the IF function, you will find it easier to us…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now