Solved

Why the hosted services not working in ASA firewall?

Posted on 2011-09-27
4
422 Views
Last Modified: 2012-05-12
This is a new setup Cisco ASA 5520 firewall. We are using ASDM 6.4 to administer. The ASA version is: 8.4(1). This is simple setup, with 2 interface - outside and inside. All the users can surf internet, ping without problem. The problem is, a group of hosted services offered by the MS Exchange server doesn't seems to work. This is how I configured - one access rule and one NAT rule. Please see the attached.

Appreciate to show changes in GUI  mode\.


Config.txt
Cisco-ASA-NATRules.bmp
Cisco-ASA-accessrules.bmp
0
Comment
Question by:MezzutOzil
  • 2
  • 2
4 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 36711386
The issue is your 1 to 1 NAT for the host.  

In Match Crit Original Packet:
Source int: inside,  Dest Int: outside, Source: Server -SGSI, Dest: Any.    ACtion Trans:   Source: server-SGSI, Dest, PublicIP.

Source int: outside, Dest int: inside, source: any, destination PublicIP, the rest is ok




http://www.fir3net.com/Cisco-ASA/how-to-configure-nat-of-asa-83.html
0
 

Author Comment

by:MezzutOzil
ID: 36711849
Hi MikeKane,

In my case, does it mean that I have to use this one:

  The following example configures static NAT for the real host 1.1.1.1 on the inside to 2.2.2.2 on the outside with DNS rewrite enabled.

view source
print?
1.hostname(config)# object network my-host-obj1
2.hostname(config-network-object)# host 1.1.1.1
3.hostname(config-network-object)# nat (inside,outside) static 2.2.2.2 dns

Few questions:

  1. This is to translate inside host 1.1.1.1 to outside host 2.2.2.2, isn't it?
  2. My first objective is to host my exchange server with port 25. Does this mean that I need to have 1 access rule to permit port 25 traffic to 2.2.2.2? and secondly, I have to run the above command, to create 1 NAT rule?
  3. My second objective to whenever host 1.1.1.1 wants to send mail to any internet mail server, it has to pose as host 2.2.2.2, any extra command need to apply?

thanks in advance.
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
ID: 36717363
1.    Yes, it gets NAT'ed to 2.2.2.2
2.     Yes, you need both the Static NAT to NAT the server to 2.2.2.2 .   You also need an Access list on the outside interface that will allow traffic to hit 2.2.2.2 on port 25.  
3.     Nothing extra is needed so long as you do not have an Access list on the inside interface.  IF you do have one, then you need to specifically allow 1.1.1.1 to send 25 outbound.


Note that the ASA also has a class inspect section that may have an 'inspect' for SMTP.   You may need to disable that for exchange to work.  

0
 

Author Closing Comment

by:MezzutOzil
ID: 36890053
it works
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Outgoing Call restriction in Cisco UC560 2 71
Cisco 7945G IP Phones: How large is the firmware file for SCCP? 2 37
syslog id vs. msg 2 21
Viber-Only Restriction 6 27
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now