[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How to set up a NAT/ACL rule

Posted on 2008-11-12
6
Medium Priority
?
1,002 Views
Last Modified: 2012-05-05
I am using a CISCO ASA 5505 and would like to set up NAT/ACL to allow traffic directed to our public IP 71.x.x.202 to be redirected to the IP of our Exchange server 192.x.x.250, to send and receive email as well as have access to OWA.

I am able to access the Internet through the ASA just fine, but have not had any success in setting up the incoming rules. Keeps receiving the errors like that when I try to set up the rules myself.

2          Nov 12 2008      09:37:01      106001      x.x.x.219      71.x.x.202       Inbound TCP connection denied from x.x.x.219/1264 to 71.x.x.202/80 flags SYN  on interface outside

The only rule pertaining to the Exchange server that I have set up is the following.

access-list inside_access_in extended permit tcp host 192.x.x.250 any eq smtp

Would prefer instructions for ASDM, but CL will do as well.

Thank you.
0
Comment
Question by:cfgchiran
  • 3
  • 2
6 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 22942636
You need to allow the traffic inbound on the Outside interface.

For example:

access-list outside_access_in extended permit tcp any host 71.x.x.202 eq 80
access-list outside_access_in extended permit tcp any host 71.x.x.202 eq 443
access-group outside_access_in in interface outside

Also, remove the inside_access_in access-list if it is bound to the inside interface and only has that one rule and no other purpose.

no access-group inside_access_in in interface inside
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22942665
You also need the appropriate static NAT statements which I assume you at least have one for the 80 traffic.  You may need one for 443 as well.
0
 
LVL 1

Author Comment

by:cfgchiran
ID: 22942689
could you please give me the NAT information too, as I have stuggled with this for awhile. I will then try everything together.

Thanks.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 2000 total points
ID: 22942726
Is the outside interface IP address 71.x.x.202?  If so:

static (inside,outside) tcp interface 80 192.x.x.250 80 netmask 255.255.255.255
static (inside,outside) tcp interface 443 192.x.x.250 443 netmask 255.255.255.255

Or if 71.x.x.202 is not the interface IP address:

static (inside,outside) tcp 71.x.x.202 80 192.x.x.250 80 netmask 255.255.255.255
static (inside,outside) tcp 71.x.x.202 443 192.x.x.250 443 netmask 255.255.255.255
0
 
LVL 4

Expert Comment

by:th3w01f
ID: 22942727
Along with the ACL you will need the static NAT statements as JF stated.

ASA (config t)#static (inside,outside) 71.x.x.202 192.x.x.250
ASA (config t)#access-list inside_access_in permit tcp any host 71.x.x.202
ASA (config t)#access-group inside_access_in in interface outside
0
 
LVL 1

Author Comment

by:cfgchiran
ID: 22961674
Thank you for the responses. The two answers I have selected for points, worked for me.  The only thing I did not do is the following since I had other inside_access_in rules in place which I did not want deleted.

Also, remove the inside_access_in access-list if it is bound to the inside interface and only has that one rule and no other purpose.

no access-group inside_access_in in interface inside
0

Featured Post

How to change the world, one degree at a time.

By embracing technology, we can solve even the biggest problems—including the gender gap.  By earning a degree from WGU, you have an opportunity to gain the knowledge, credentials, and experience it takes to thrive in today’s high-growth IT industry.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month18 days, 1 hour left to enroll

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question