How to set up a NAT/ACL rule

I am using a CISCO ASA 5505 and would like to set up NAT/ACL to allow traffic directed to our public IP 71.x.x.202 to be redirected to the IP of our Exchange server 192.x.x.250, to send and receive email as well as have access to OWA.

I am able to access the Internet through the ASA just fine, but have not had any success in setting up the incoming rules. Keeps receiving the errors like that when I try to set up the rules myself.

2          Nov 12 2008      09:37:01      106001      x.x.x.219      71.x.x.202       Inbound TCP connection denied from x.x.x.219/1264 to 71.x.x.202/80 flags SYN  on interface outside

The only rule pertaining to the Exchange server that I have set up is the following.

access-list inside_access_in extended permit tcp host 192.x.x.250 any eq smtp

Would prefer instructions for ASDM, but CL will do as well.

Thank you.
LVL 1
cfgchiranAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JFrederick29Commented:
You need to allow the traffic inbound on the Outside interface.

For example:

access-list outside_access_in extended permit tcp any host 71.x.x.202 eq 80
access-list outside_access_in extended permit tcp any host 71.x.x.202 eq 443
access-group outside_access_in in interface outside

Also, remove the inside_access_in access-list if it is bound to the inside interface and only has that one rule and no other purpose.

no access-group inside_access_in in interface inside
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JFrederick29Commented:
You also need the appropriate static NAT statements which I assume you at least have one for the 80 traffic.  You may need one for 443 as well.
0
cfgchiranAuthor Commented:
could you please give me the NAT information too, as I have stuggled with this for awhile. I will then try everything together.

Thanks.
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

JFrederick29Commented:
Is the outside interface IP address 71.x.x.202?  If so:

static (inside,outside) tcp interface 80 192.x.x.250 80 netmask 255.255.255.255
static (inside,outside) tcp interface 443 192.x.x.250 443 netmask 255.255.255.255

Or if 71.x.x.202 is not the interface IP address:

static (inside,outside) tcp 71.x.x.202 80 192.x.x.250 80 netmask 255.255.255.255
static (inside,outside) tcp 71.x.x.202 443 192.x.x.250 443 netmask 255.255.255.255
0
th3w01fCommented:
Along with the ACL you will need the static NAT statements as JF stated.

ASA (config t)#static (inside,outside) 71.x.x.202 192.x.x.250
ASA (config t)#access-list inside_access_in permit tcp any host 71.x.x.202
ASA (config t)#access-group inside_access_in in interface outside
0
cfgchiranAuthor Commented:
Thank you for the responses. The two answers I have selected for points, worked for me.  The only thing I did not do is the following since I had other inside_access_in rules in place which I did not want deleted.

Also, remove the inside_access_in access-list if it is bound to the inside interface and only has that one rule and no other purpose.

no access-group inside_access_in in interface inside
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.