[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 442
  • Last Modified:

Why the hosted services not working in ASA firewall?

This is a new setup Cisco ASA 5520 firewall. We are using ASDM 6.4 to administer. The ASA version is: 8.4(1). This is simple setup, with 2 interface - outside and inside. All the users can surf internet, ping without problem. The problem is, a group of hosted services offered by the MS Exchange server doesn't seems to work. This is how I configured - one access rule and one NAT rule. Please see the attached.

Appreciate to show changes in GUI  mode\.


Config.txt
Cisco-ASA-NATRules.bmp
Cisco-ASA-accessrules.bmp
0
MezzutOzil
Asked:
MezzutOzil
  • 2
  • 2
1 Solution
 
MikeKaneCommented:
The issue is your 1 to 1 NAT for the host.  

In Match Crit Original Packet:
Source int: inside,  Dest Int: outside, Source: Server -SGSI, Dest: Any.    ACtion Trans:   Source: server-SGSI, Dest, PublicIP.

Source int: outside, Dest int: inside, source: any, destination PublicIP, the rest is ok




http://www.fir3net.com/Cisco-ASA/how-to-configure-nat-of-asa-83.html
0
 
MezzutOzilAuthor Commented:
Hi MikeKane,

In my case, does it mean that I have to use this one:

  The following example configures static NAT for the real host 1.1.1.1 on the inside to 2.2.2.2 on the outside with DNS rewrite enabled.

view source
print?
1.hostname(config)# object network my-host-obj1
2.hostname(config-network-object)# host 1.1.1.1
3.hostname(config-network-object)# nat (inside,outside) static 2.2.2.2 dns

Few questions:

  1. This is to translate inside host 1.1.1.1 to outside host 2.2.2.2, isn't it?
  2. My first objective is to host my exchange server with port 25. Does this mean that I need to have 1 access rule to permit port 25 traffic to 2.2.2.2? and secondly, I have to run the above command, to create 1 NAT rule?
  3. My second objective to whenever host 1.1.1.1 wants to send mail to any internet mail server, it has to pose as host 2.2.2.2, any extra command need to apply?

thanks in advance.
0
 
MikeKaneCommented:
1.    Yes, it gets NAT'ed to 2.2.2.2
2.     Yes, you need both the Static NAT to NAT the server to 2.2.2.2 .   You also need an Access list on the outside interface that will allow traffic to hit 2.2.2.2 on port 25.  
3.     Nothing extra is needed so long as you do not have an Access list on the inside interface.  IF you do have one, then you need to specifically allow 1.1.1.1 to send 25 outbound.


Note that the ASA also has a class inspect section that may have an 'inspect' for SMTP.   You may need to disable that for exchange to work.  

0
 
MezzutOzilAuthor Commented:
it works
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now