Go Premium for a chance to win a PS4. Enter to Win


Cisco 5505 Nat problem

Posted on 2007-11-26
Medium Priority
Last Modified: 2013-11-16
i have just got a new firewall (Cisco ASA 5505)
users from the internal site, can connect through it and use the internet.
on my internal Lan, i have a Exchange server, that i want to NAT all the incomminig smtp traffic to.
I have tried with the command that i used with our previous Firewall (PIX 501).but they doesn't seem to work.
any one who can figure it out.

User Access Verification

Type help or '?' for a list of available commands.
firewall> ena
Password: ********
firewall# sho
firewall# show run
firewall# show running-config
: Saved
ASA Version 7.2(2)
hostname firewall
domain-name unitaras.local
enable password 9ydlMgJM/r1fIjYr encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
 switchport access vlan 3
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name unitaras.local
access-list outside-access_in extended permit tcp any host eq smt
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
static (inside,outside) tcp smtp smtp netmask 255.255
access-group outside-access_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address inside

class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
prompt hostname context
: end
Question by:kimhed
  • 3
  • 2
LVL 28

Accepted Solution

batry_boy earned 750 total points
ID: 20349984
I'm assuming you only have one public IP address to use since you're trying to use the outside interface IP on your static translation.  If this is true, change these commands:

access-list outside-access_in extended permit tcp any host eq smtp
static (inside,outside) tcp smtp smtp netmask

to these:

access-list outside-access_in extended permit tcp any interface outside eq smtp
static (inside,outside) tcp interface smtp smtp netmask

and see what you get...
LVL 12

Expert Comment

ID: 20350098
i would do this a different way.
take out your current static command and replace it with

static (inside,outside)

it looks like you were trying to port forward AND also have an access-list.   just use the static as a nat
LVL 28

Expert Comment

ID: 20350172
I wouldn't do since that performs a one-to-one static NAT for all TCP/UDP ports to go from the firewall's outside interface to an inside host.  This would be OK if you had a separate public IP address to use for the static NAT, but from your configuration, you don't have this option.
LVL 12

Expert Comment

ID: 20350199
no it does not.  not at all.  that is what teh access-list is for.  you open up the neccessary ports witht e access-list.  the one to one static ONLY create the translation.  with out the access-lists the box cannot be hit.  AT ALL
LVL 28

Expert Comment

ID: 20351450
Freya, I did not mean to imply that it ALLOWS ALL ports inbound by creating the one-to-one static xlate, just that it would set up (not allow or permit) port forwarding for all ports when traffic is directed to the firewall's outside interface IP address.  You are correct in that the ACL actually allows the traffic on those ports, but using a one-to-one like you suggest doesn't let the user use any other inside IP addresses for other ports to be forwarded to in the future...they may want that if they only have the one useable IP...

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question