kimhed
asked on
Cisco 5505 Nat problem
i have just got a new firewall (Cisco ASA 5505)
users from the internal site, can connect through it and use the internet.
on my internal Lan, i have a Exchange server, that i want to NAT all the incomminig smtp traffic to.
I have tried with the command that i used with our previous Firewall (PIX 501).but they doesn't seem to work.
any one who can figure it out.
User Access Verification
Password:
Password:
Password:
Type help or '?' for a list of available commands.
firewall> ena
Password: ********
firewall# sho
firewall# show run
firewall# show running-config
: Saved
:
ASA Version 7.2(2)
!
hostname firewall
domain-name unitaras.local
enable password 9ydlMgJM/r1fIjYr encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 62.242.245.158 255.255.255.252
!
interface Vlan3
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name unitaras.local
access-list outside-access_in extended permit tcp any host 62.242.245.158 eq smt
p
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 62.242.245.158 smtp 192.168.1.2 smtp netmask 255.255
.255.255
access-group outside-access_in in interface outside
route outside 0.0.0.0 0.0.0.0 62.242.245.157 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.254 inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:70d58e80a07
: end
firewall#
users from the internal site, can connect through it and use the internet.
on my internal Lan, i have a Exchange server, that i want to NAT all the incomminig smtp traffic to.
I have tried with the command that i used with our previous Firewall (PIX 501).but they doesn't seem to work.
any one who can figure it out.
User Access Verification
Password:
Password:
Password:
Type help or '?' for a list of available commands.
firewall> ena
Password: ********
firewall# sho
firewall# show run
firewall# show running-config
: Saved
:
ASA Version 7.2(2)
!
hostname firewall
domain-name unitaras.local
enable password 9ydlMgJM/r1fIjYr encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 62.242.245.158 255.255.255.252
!
interface Vlan3
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name unitaras.local
access-list outside-access_in extended permit tcp any host 62.242.245.158 eq smt
p
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 62.242.245.158 smtp 192.168.1.2 smtp netmask 255.255
.255.255
access-group outside-access_in in interface outside
route outside 0.0.0.0 0.0.0.0 62.242.245.157 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.254 inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:70d58e80a07
: end
firewall#
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I wouldn't do since that performs a one-to-one static NAT for all TCP/UDP ports to go from the firewall's outside interface to an inside host. This would be OK if you had a separate public IP address to use for the static NAT, but from your configuration, you don't have this option.
no it does not. not at all. that is what teh access-list is for. you open up the neccessary ports witht e access-list. the one to one static ONLY create the translation. with out the access-lists the box cannot be hit. AT ALL
Freya, I did not mean to imply that it ALLOWS ALL ports inbound by creating the one-to-one static xlate, just that it would set up (not allow or permit) port forwarding for all ports when traffic is directed to the firewall's outside interface IP address. You are correct in that the ACL actually allows the traffic on those ports, but using a one-to-one like you suggest doesn't let the user use any other inside IP addresses for other ports to be forwarded to in the future...they may want that if they only have the one useable IP...
take out your current static command and replace it with
static (inside,outside) 62.242.245.158 192.168.1.2
it looks like you were trying to port forward AND also have an access-list. just use the static as a nat