Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 163
  • Last Modified:

cisco ASA static route

We have a Cisco ASA 5510 and we have an entry for our previous email server natted through it (internal IP - x.x.40.110, External x.x.121.179).  I created a new email server and I want to provide it a static NAT through it as well, internal x.x.35.130, external x.x.121.181.  I am a bit unsure of how to do it, command wise.  I am not an ASA expert but from what I can gather it looks like there are groups and then that is how the "permissions" are done.  I wasn't sure if I need to define a new object or if I can just add the new server IP to the group and then add it to the ACL.  I am really confused.  Below is our current configuration.  I just need to get a new IP to NAT through the firewall for the new server.  I do not want to modify the settings for the old server.


Current config-

the lines that related to the old server

This is from the running config-
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
 port-object eq https
 port-object eq smtp
access-list outside_access_in extended permit tcp any host x.x.121.179 object-group DM_INLINE_TCP_1

static (inside,outside) x.x.121.179 x.x.40.110 netmask 255.255.255.255


ciscoasa# show access-list

access-list outside_access_in line 2 extended permit tcp any host x.x.121.179 object-group DM_INLINE_TCP_1 0xabf54791

  access-list outside_access_in line 2 extended permit tcp any host x.x.121.179 eq https (hitcnt=2063101) 0x1c2099b4    

  access-list outside_access_in line 2 extended permit tcp any host   x.x.121.179 eq smtp (hitcnt=58507) 0x23ab9cfc




ciscoasa# show access-list running-config object-group

object-group protocol TCPUDP

 protocol-object udp

 protocol-object tcp

object-group service DM_INLINE_TCP_1 tcp

 port-object eq https

 port-object eq smtp



 ciscoasa#  show running-config object group protocol

object-group protocol TCPUDP

 protocol-object udp

 protocol-object tcp




ciscoasa# show running-config object-group protocol service

object-group service DM_INLINE_TCP_1 tcp

 port-object eq https

 port-object eq smtp
0
Angela Owens
Asked:
Angela Owens
  • 2
1 Solution
 
Angela OwensNetwork EngineerAuthor Commented:
I ran the commands and it "seems" to have worked....
0
 
arnoldCommented:
static (inside,outside) x.x.121.179 x.x.40.110 netmask 255.255.255.255  deals with mapping the internal IP to the external IP dealing with packet marker on the outgoing Packet's source IP. as well as mapping the outside to the inside.

The access lists are what permits the incoming entering and then passing to the final destination.
0
 
Angela OwensNetwork EngineerAuthor Commented:
Running the commands I posted resolved it.
0

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now