Solved

Cisco 5505 Nat problem

Posted on 2007-11-26
5
837 Views
Last Modified: 2013-11-16
i have just got a new firewall (Cisco ASA 5505)
users from the internal site, can connect through it and use the internet.
on my internal Lan, i have a Exchange server, that i want to NAT all the incomminig smtp traffic to.
I have tried with the command that i used with our previous Firewall (PIX 501).but they doesn't seem to work.
any one who can figure it out.

User Access Verification

Password:
Password:
Password:
Type help or '?' for a list of available commands.
firewall> ena
Password: ********
firewall# sho
firewall# show run
firewall# show running-config
: Saved
:
ASA Version 7.2(2)
!
hostname firewall
domain-name unitaras.local
enable password 9ydlMgJM/r1fIjYr encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 62.242.245.158 255.255.255.252
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name unitaras.local
access-list outside-access_in extended permit tcp any host 62.242.245.158 eq smt
p
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 62.242.245.158 smtp 192.168.1.2 smtp netmask 255.255
.255.255
access-group outside-access_in in interface outside
route outside 0.0.0.0 0.0.0.0 62.242.245.157 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.254 inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:70d58e80a07c5a75664aa572b82bed65
: end
firewall#
 
0
Comment
Question by:kimhed
  • 3
  • 2
5 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 250 total points
ID: 20349984
I'm assuming you only have one public IP address to use since you're trying to use the outside interface IP on your static translation.  If this is true, change these commands:

access-list outside-access_in extended permit tcp any host 62.242.245.158 eq smtp
static (inside,outside) tcp 62.242.245.158 smtp 192.168.1.2 smtp netmask 255.255.255.255

to these:

access-list outside-access_in extended permit tcp any interface outside eq smtp
static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255

and see what you get...
0
 
LVL 12

Expert Comment

by:Freya28
ID: 20350098
i would do this a different way.
take out your current static command and replace it with

static (inside,outside) 62.242.245.158 192.168.1.2

it looks like you were trying to port forward AND also have an access-list.   just use the static as a nat
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20350172
I wouldn't do since that performs a one-to-one static NAT for all TCP/UDP ports to go from the firewall's outside interface to an inside host.  This would be OK if you had a separate public IP address to use for the static NAT, but from your configuration, you don't have this option.
0
 
LVL 12

Expert Comment

by:Freya28
ID: 20350199
no it does not.  not at all.  that is what teh access-list is for.  you open up the neccessary ports witht e access-list.  the one to one static ONLY create the translation.  with out the access-lists the box cannot be hit.  AT ALL
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20351450
Freya, I did not mean to imply that it ALLOWS ALL ports inbound by creating the one-to-one static xlate, just that it would set up (not allow or permit) port forwarding for all ports when traffic is directed to the firewall's outside interface IP address.  You are correct in that the ACL actually allows the traffic on those ports, but using a one-to-one like you suggest doesn't let the user use any other inside IP addresses for other ports to be forwarded to in the future...they may want that if they only have the one useable IP...
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now