cfgchiran
asked on
How to set up a NAT/ACL rule
I am using a CISCO ASA 5505 and would like to set up NAT/ACL to allow traffic directed to our public IP 71.x.x.202 to be redirected to the IP of our Exchange server 192.x.x.250, to send and receive email as well as have access to OWA.
I am able to access the Internet through the ASA just fine, but have not had any success in setting up the incoming rules. Keeps receiving the errors like that when I try to set up the rules myself.
2 Nov 12 2008 09:37:01 106001 x.x.x.219 71.x.x.202 Inbound TCP connection denied from x.x.x.219/1264 to 71.x.x.202/80 flags SYN on interface outside
The only rule pertaining to the Exchange server that I have set up is the following.
access-list inside_access_in extended permit tcp host 192.x.x.250 any eq smtp
Would prefer instructions for ASDM, but CL will do as well.
Thank you.
I am able to access the Internet through the ASA just fine, but have not had any success in setting up the incoming rules. Keeps receiving the errors like that when I try to set up the rules myself.
2 Nov 12 2008 09:37:01 106001 x.x.x.219 71.x.x.202 Inbound TCP connection denied from x.x.x.219/1264 to 71.x.x.202/80 flags SYN on interface outside
The only rule pertaining to the Exchange server that I have set up is the following.
access-list inside_access_in extended permit tcp host 192.x.x.250 any eq smtp
Would prefer instructions for ASDM, but CL will do as well.
Thank you.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
JFrederick29
You also need the appropriate static NAT statements which I assume you at least have one for the 80 traffic. You may need one for 443 as well.
ASKER
could you please give me the NAT information too, as I have stuggled with this for awhile. I will then try everything together.
Thanks.
Thanks.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Along with the ACL you will need the static NAT statements as JF stated.
ASA (config t)#static (inside,outside) 71.x.x.202 192.x.x.250
ASA (config t)#access-list inside_access_in permit tcp any host 71.x.x.202
ASA (config t)#access-group inside_access_in in interface outside
ASA (config t)#static (inside,outside) 71.x.x.202 192.x.x.250
ASA (config t)#access-list inside_access_in permit tcp any host 71.x.x.202
ASA (config t)#access-group inside_access_in in interface outside
ASKER
Thank you for the responses. The two answers I have selected for points, worked for me. The only thing I did not do is the following since I had other inside_access_in rules in place which I did not want deleted.
Also, remove the inside_access_in access-list if it is bound to the inside interface and only has that one rule and no other purpose.
no access-group inside_access_in in interface inside
Also, remove the inside_access_in access-list if it is bound to the inside interface and only has that one rule and no other purpose.
no access-group inside_access_in in interface inside