Hello Everyone,
I have a network that I would like to migrate from a Pix to an ASA, as I am planning to get rid of the Pix. And on the same move I would like to assign a differen IP address for the internal e-mail of this network. This is not my configuration so I am also trying to understand it.
I am not really sure If my changes are correct, Could someone give me a clue if what I am doing is the same from Pix to ASA?
What I have on the Pix is the following:
Pix
object-group network network_inside
description Inside Networks Secured by this firewall
network-object 192.168.50.0 255.255.255.0 Network Users (INSIDE)
network-object 192.168.200.0 255.255.255.0 Link to Main Office.
network-object 192.168.49.0 255.255.255.0 Network for VPN Users
object-group network hosts_inet_smtp_in
description DMZ Host group that any internet host can access via SMTP <<<<<<< allowing SMTP for client
network-object host OUTSIDE-IP-FOR_NETWORK
Since I have more than one client through this PIX I divide the networks per user________________
object-group network USER 1
description User 1 Lan
network-object 192.168.50.0 255.255.255.0
network-object 192.168.49.0 255.255.255.0
access-list nonat permit ip object-group network_inside object-group Latrobe_RTR
access-list outside_access_in remark ** ALLOW SMTP TRAFFIC FROM OUTSIDE TO SMTP SERVERS **
access-list outside_access_in permit tcp any object-group hosts_inet_smtp_in eq smtp
access-list LATROBE permit ip object-group network_inside object-group Latrobe_RTR
access-list inside-access-out permit tcp host 192.168.50.10 any eq smtp <<<<< allowing access from my smtp server to outside
global (outside) 2 PUBLIC-IP
nat (inside) 2 192.168.50.0 255.255.255.0 0 0
static (inside,outside) tcp PUBLIC-IP smtp 192.168.50.10 smtp netmask 255.255.255.255 0 0
route inside 192.168.50.0 255.255.255.0 192.168.46.65 1
route inside 192.168.200.0 255.255.255.0 192.168.46.65 1
____________________________________________________________________________________________________________
What Im planning to configure at the ASA.
object-group network TC-MAIL-SERVERS
description TASCOM MAIL SERVERS <<<<<<<<<<<<<<<<<<<< add public IP address to the emails servers
network0object host <name>
object-group network USER1-LAN
description LATROBE INTERNAL LAN
network-object 192.168.50.0 255.255.255.0
object-group network USER1-VPN
description LATROBE VPN CLIENTS
network-object 192.168.49.0 255.255.255.0
access-list OUTSIDE-IN remark ** ALLOW SMTP TRAFFIC FROM OUTSIDE TO MAIL SERVERS **
access-list OUTSIDE-IN extended permit tcp any object-group TC-MAIL-SERVERS eq smtp
global (OUTSIDE) 8 PUBLIC-IP
nat (INTERFACE) 8 192.168.50.0 255.255.255.0
static (INTERFACE,OUTSIDE) tcp PUBLIC-IP smtp 192.168.50.10 smtp netmask 255.255.255.255
route INTERFACE 192.168.50.0 255.255.255.0 INSIDE-INTERFACE
END_______________________________________________________________
I have the same firewall for many users so I am not sure if this will work as I am thinking.
Could anyone give me some light if I am on the right path ?
Thanks!!!
Our community of experts have been thoroughly vetted for their expertise and industry experience.