topic Hi,I think it's still the in Network Security

how to configure ASA 5512 (9.2) allow mail server smtp?

Lost & Found — Tue, 12 Mar 2019 06:20:41 GMT

Hi,

Scenario: Mail Server in the Inside Network

Mail server IP Add: 10.34.1.10 and Nat IP: 201.1.1.5

Configured

Access list and objectnetwork.

object network obj-10.34.1.10
host 10.34.1.10

object-group service tcp_lotusnotesgrp tcp
port-object eq www
port-object eq lotusnotes
port-object eq smtp
port-object eq imap4
port-object eq https

access-list outside_access_in extended permit tcp any host 124.106.85.165 object-group tcp_lotusnotesgrp

object network obj-10.34.1.10
nat (inside,outside) static 201.1.1.5

any idea?

The outside ACL is using a

Karsten Iwen — Tue, 28 Jul 2015 09:47:15 GMT

The outside ACL is using a (different) public IP. There you have to use the real IP:

access-list outside_access_in extended permit tcp any object obj-10.34.1.10 object-group tcp_lotusnotesgrp

Hi,I think it's still the

Lost & Found — Tue, 28 Jul 2015 10:28:54 GMT

Hi,

I think it's still the same because when I scan my Public Ip using "Whatismyipaddress" I'm using the assign IP of our outside interface not the public address specific for email server

thanks

>I think it's still the same

Karsten Iwen — Tue, 28 Jul 2015 10:36:57 GMT

>I think it's still the same because when I scan my Public Ip using "Whatismyipaddress" I'm using the assign IP of our outside interface not the public address specific for email server

That's the result of the rest of your config. Still, the config for your mail-server needs to be correct. If you do that from the server, issue a "clear xlate local 10.34.1.10" to make sure the server uses a new translation.

nothings change. but i can

Lost & Found — Tue, 28 Jul 2015 11:14:42 GMT

nothings change. but i can ping the 201.1.1.5(SPECIFIC IP ASSIGN TO MAILSERVER)

but smtp and other is not working. thanks

It's not translating.

Lost & Found — Wed, 29 Jul 2015 00:03:39 GMT

It's not translating.

Please share your config to

Karsten Iwen — Wed, 29 Jul 2015 05:47:36 GMT

Please share your config to see if there is something else wrong.

some of the configobject

Lost & Found — Wed, 29 Jul 2015 05:57:28 GMT

some of the config

object network obj-10.34.31.12
host 10.34.31.12
description Domino Server

object-group service tcp_lotusnotesgrp tcp
port-object eq www
port-object eq lotusnotes
port-object eq smtp
port-object eq imap4
port-object eq https
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object icmp
protocol-object icmp6
object-group service DM_INLINE_SERVICE_1
service-object object UDP_18001
service-object tcp destination eq www
service-object tcp destination eq https
object-group service DM_INLINE_SERVICE_4
service-object icmp
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq imap4
service-object tcp destination eq lotusnotes
service-object tcp destination eq pop3
service-object tcp destination eq smtp

access-list nonat extended permit ip 10.34.63.0 255.255.255.0 10.34.17.0 255.255.255.0
access-list outside_access_in_2 extended permit object-group DM_INLINE_SERVICE_4 any object obj-10.34.31.221

nat (inside,outside) source dynamic any interface dns

nat (inside,outside) static 111.11.22.123

policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
class class-default
user-statistics accounting

The order of your NAT

Karsten Iwen — Wed, 29 Jul 2015 06:50:00 GMT

The order of your NAT-statemens is incorrect. The dynamic NAT/PAT needs to be done after the static NATs:

no nat (inside,outside) source dynamic any interface dns
nat (inside,outside) after-auto source dynamic any interface

Thanks man now It's working

Lost & Found — Wed, 29 Jul 2015 11:54:55 GMT

Thanks man now It's working and it has been translated.

Do we always need to use dynamic before nat to translate? thanks

As a rule of thumb, the

Karsten Iwen — Wed, 29 Jul 2015 12:00:20 GMT

As a rule of thumb, the dynamic NAT/PAT rules always have to come at last (that's the reason I always put them in NAT-section 3 "after-auto"). The Server-NAT (like your Lotus) are configured as object NAT which is NAT-section 2. In the first section, (thats the section where your dynamic rule was) all exemptions are are configured, for example for VPNs where traffic shouldn't be translated.

Thank You.

Lost & Found — Thu, 30 Jul 2015 03:49:39 GMT

Thank You. But is any other way if i want to translate it ??

Hi karsten,I would like to

Lost & Found — Thu, 13 Aug 2015 10:51:38 GMT

Hi karsten,

I would like to ask how to translate/permit specific host on firewall.

on 8.2ver I used nat (inside) 1 ipofhost and subnet

on 9.2 ver it notworking?

do i need to create a net object network for the spefic address to be allow?

please see the attached file. thank you