https://community.cisco.com/t5/network-security/static-nat-on-asa-5510-ios-version-8-2/m-p/1859356#M459071 <HTML><HEAD></HEAD><BODY><P>Hi Varun</P><P></P><P>It's allowing the packets in and out that's working fine but my issue is, for reverse DNS on the mail server, traffic originating from internal ip x.x.x.20 on 25 is showing as if it's coming from the Firewall external IP which is x.x.x.253 instead of x.x.x.150. I want traffic coming from the internal IP x.x.x.20 to be natted and goes out via it's nated public IP x.x.x.150 and not the firewall external IP x.x.x.253</P></BODY></HTML> Tue, 21 Feb 2012 08:29:19 GMT chigumbab 2012-02-21T08:29:19Z https://community.cisco.com/t5/network-security/static-nat-on-asa-5510-ios-version-8-2/m-p/1859350#M459062 <P>Hi Guys</P><P></P><P>have a question. I have a ASA5510 with IOS version 8.2 . I have my firewall and behind it also have a mail server eg 192.168.1.x. When i send email from inside network it doesn't show as if it's coming grom the out side nated public IP of my server but IP of firewall. What am i missing my example nat statements are . Nat-control is disabled.</P><P></P><P></P><P>static (inside,outside) 196.68.99.x 192.168.1.x netmask 255.255.255.255</P><P>access-list inbound extended permit tcp any host 196.68.99.x eq 225</P><P>accesslist outbound extended permit host 192.168.1.x host 196.68.99.x</P> Mon, 11 Mar 2019 22:32:54 GMT https://community.cisco.com/t5/network-security/static-nat-on-asa-5510-ios-version-8-2/m-p/1859350#M459062 chigumbab 2019-03-11T22:32:54Z https://community.cisco.com/t5/network-security/static-nat-on-asa-5510-ios-version-8-2/m-p/1859351#M459063 <HTML><HEAD></HEAD><BODY><P>You don't need 'accesslist outbound extended permit host 192.168.1.x host 196.68.99.x'. Remove this and clear the existing translate for the internal IP (clear xlate local 192.168.1.x) and see if that fix the issue.</P><P></P><P>Thx</P><P>MS</P></BODY></HTML> Tue, 21 Feb 2012 02:44:41 GMT https://community.cisco.com/t5/network-security/static-nat-on-asa-5510-ios-version-8-2/m-p/1859351#M459063 mvsheik123 2012-02-21T02:44:41Z https://community.cisco.com/t5/network-security/static-nat-on-asa-5510-ios-version-8-2/m-p/1859352#M459064 <HTML><HEAD></HEAD><BODY><P>Hi </P><P></P><P>Thank you for the reply. I tried that but it didn't work. What else do you suggest i try?</P></BODY></HTML> Tue, 21 Feb 2012 06:52:37 GMT https://community.cisco.com/t5/network-security/static-nat-on-asa-5510-ios-version-8-2/m-p/1859352#M459064 chigumbab 2012-02-21T06:52:37Z https://community.cisco.com/t5/network-security/static-nat-on-asa-5510-ios-version-8-2/m-p/1859353#M459065 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>can you provide me the output of:</P><P></P><P>packet-tracer input outside tcp 4.2.2.2 23456 196.68.99.x 80&nbsp; detailed</P><P></P><P>and also can you provide the running config from the ASA, you can hide the ip's if you want.</P><P></P><P></P><P>Thanks,</P><P>Varun</P></BODY></HTML> Tue, 21 Feb 2012 07:40:34 GMT https://community.cisco.com/t5/network-security/static-nat-on-asa-5510-ios-version-8-2/m-p/1859353#M459065 varrao 2012-02-21T07:40:34Z https://community.cisco.com/t5/network-security/static-nat-on-asa-5510-ios-version-8-2/m-p/1859354#M459067 <HTML><HEAD></HEAD><BODY><P>Varun</P><P></P><P>How are you man. We meet again. Thank you so much for your help last time. Please find attached the partial configs. </P></BODY></HTML> Tue, 21 Feb 2012 08:06:48 GMT https://community.cisco.com/t5/network-security/static-nat-on-asa-5510-ios-version-8-2/m-p/1859354#M459067 chigumbab 2012-02-21T08:06:48Z https://community.cisco.com/t5/network-security/static-nat-on-asa-5510-ios-version-8-2/m-p/1859355#M459069 <HTML><HEAD></HEAD><BODY><P>Hello Chigumbab,</P><P></P><P>Its nice to see you after a while as well <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>I checked the packet tracer and it is allowing all the packets, are all the ports not working or only some specific??</P><P></P><P>Can you take captures on the asa.</P><P></P><P>access-list cap permit tcp host xx.xx.xx.150 any</P><P>access-list cap permit tcp any host xx.xx.xx.150</P><P>access-list cap permit tcp any host xx.xx.xx.20</P><P>access-list cap permit tcp host xx.xx.xx.20 any</P><P></P><P>capture capin access-list cap interface inside</P><P>capture capo access-list cap interface outside</P><P></P><P>Then generate some traffic and collect the output of "show cap capin" and "show cap capo"</P><P></P><P>It would be interesting to see where the packets are being dropped.</P><P></P><P>Thanks,</P><P>Varun</P></BODY></HTML> Tue, 21 Feb 2012 08:23:51 GMT https://community.cisco.com/t5/network-security/static-nat-on-asa-5510-ios-version-8-2/m-p/1859355#M459069 varrao 2012-02-21T08:23:51Z https://community.cisco.com/t5/network-security/static-nat-on-asa-5510-ios-version-8-2/m-p/1859356#M459071 <HTML><HEAD></HEAD><BODY><P>Hi Varun</P><P></P><P>It's allowing the packets in and out that's working fine but my issue is, for reverse DNS on the mail server, traffic originating from internal ip x.x.x.20 on 25 is showing as if it's coming from the Firewall external IP which is x.x.x.253 instead of x.x.x.150. I want traffic coming from the internal IP x.x.x.20 to be natted and goes out via it's nated public IP x.x.x.150 and not the firewall external IP x.x.x.253</P></BODY></HTML> Tue, 21 Feb 2012 08:29:19 GMT https://community.cisco.com/t5/network-security/static-nat-on-asa-5510-ios-version-8-2/m-p/1859356#M459071 chigumbab 2012-02-21T08:29:19Z https://community.cisco.com/t5/network-security/static-nat-on-asa-5510-ios-version-8-2/m-p/1859357#M459073 <HTML><HEAD></HEAD><BODY><P>Hi Chigumbab,</P><P></P><P>Nope that would not work, because you have just done port forwarding and allowed only specfic ports on the xx.xx.xx.150 ip address, so the DNS traffic would definitely be natted to the outside interface, because of the nat-global statements that you have, just as a workaround add the statement at the end of all the statics :</P><P></P><P></P><P>static (inside,outside) tcp x.x.x.150 smtp x.x.x.20 smtp netmask 255.255.255.255</P><P>static (inside,outside) tcp x.x.x.150 587 x.x.x.20 587 netmask 255.255.255.255</P><P>static (inside,outside) tcp x.x.x.150 pop3 x.x.x.20 pop3 netmask 255.255.255.255</P><P>static (inside,outside) tcp x.x.x.150 3389 x.x.x.20 3389 netmask 255.255.255.255</P><P>static (inside,outside) tcp x.x.x.150 1433 x.x.x.20 1433 netmask 255.255.255.255</P><P>static (inside,outside) tcp x.x.x.150 3306 x.x.x.20 3306 netmask 255.255.255.255</P><P>static (inside,outside) x.x.x.150 x.x.x.20</P><P></P><P></P><P>and now if the server goes to the internet, it should show the IP x.x.x.150</P><P></P><P>Don't worry it would not allow any other ports to be opened as you have restricted the incoming ports through the ACL.</P><P></P><P>Hope that helps.</P><P></P><P>Thanks,</P><P>Varun</P></BODY></HTML> Tue, 21 Feb 2012 08:42:18 GMT https://community.cisco.com/t5/network-security/static-nat-on-asa-5510-ios-version-8-2/m-p/1859357#M459073 varrao 2012-02-21T08:42:18Z https://community.cisco.com/t5/network-security/static-nat-on-asa-5510-ios-version-8-2/m-p/1859358#M459075 <HTML><HEAD></HEAD><BODY><P>Thanks Varun, you are the man!!!!!!! <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P></BODY></HTML> Tue, 21 Feb 2012 09:06:25 GMT https://community.cisco.com/t5/network-security/static-nat-on-asa-5510-ios-version-8-2/m-p/1859358#M459075 chigumbab 2012-02-21T09:06:25Z https://community.cisco.com/t5/network-security/static-nat-on-asa-5510-ios-version-8-2/m-p/1859359#M459077 <HTML><HEAD></HEAD><BODY><P>Hey thats great!!!! <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN> hope to see you soon.</P><P></P><P>Varun</P></BODY></HTML> Tue, 21 Feb 2012 09:08:05 GMT https://community.cisco.com/t5/network-security/static-nat-on-asa-5510-ios-version-8-2/m-p/1859359#M459077 varrao 2012-02-21T09:08:05Z