https://community.cisco.com/t5/network-security/cisco-asa-outside-acl/m-p/1768317#M494495 <HTML><HEAD></HEAD><BODY><P><A _jive_internal="true" href="https://community.cisco.com/people/zulqurnain" id="jive-4571603996512195318802">zulqurnain</A>,</P><P>the ACL already applied at the outside interface.</P><P></P><P></P><P><A _jive_internal="true" href="https://community.cisco.com/people/lal.antony" id="jive-5566483996512251928802">Lal Antony</A>,</P><P>i applied the following ACE instead of the object and the same thing:</P><P>access-list outside extended permit tcp any host 82.213.59.59 eq smtp</P><P></P><P>Thanks</P></BODY></HTML> Mon, 31 Oct 2011 06:30:38 GMT a.hajhamad 2011-10-31T06:30:38Z https://community.cisco.com/t5/network-security/cisco-asa-outside-acl/m-p/1768314#M494477 <P><SPAN style="text-decoration: underline;"><EM><STRONG>Hello all,</STRONG></EM></SPAN></P><P>my network is:</P><P>Cisco ASA 5510 outside, DMZ1, and inside interfaces.</P><P>Mail server real IP is: x.x.x.x/24</P><P>Mapped IP: y.y.y.y/27</P><P></P><P>I have mail server inside the DMZ1 and i did auto static NAT as follows:</P><P></P><P><SPAN style="text-decoration: underline;">the auto static NAT config:</SPAN></P><P>object network EDGE-SVR-PRIV</P><P>host x.x.x.x</P><P>nat (DMZ1,outside) static y.y.y.y</P><P>!</P><P>!</P><P>the outside interface IP address is y.y.y.z/27</P><P>the access list applied at the outside interface is named outside:</P><P></P><P>access-list outside permit tcp any object EDGE-SVR-PRIV eq smtp</P><P>!</P><P>my problem is:</P><P>i can't access the mail server from the outside by trying (telnet y.y.y.y 25), after many investigations i applied the following command and it works!!!</P><P>access-list outside permit tcp any any eq smtp</P><P></P><P></P><P>why is that?</P><P></P><P>Thanks</P> Mon, 11 Mar 2019 21:44:15 GMT https://community.cisco.com/t5/network-security/cisco-asa-outside-acl/m-p/1768314#M494477 a.hajhamad 2019-03-11T21:44:15Z https://community.cisco.com/t5/network-security/cisco-asa-outside-acl/m-p/1768315#M494480 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>As a thumb rule if you want to let traffic flow from lower security interface to higher security interface I.e. if you wants someone from outside to connect to inside resource then you need to have an access-list allowing that traffic to flow inside along with your static command. </P><P></P><P>HTH </P><P></P><P>Sent from Cisco Technical Support iPad App</P></BODY></HTML> Sun, 30 Oct 2011 22:19:48 GMT https://community.cisco.com/t5/network-security/cisco-asa-outside-acl/m-p/1768315#M494480 zulqurnain 2011-10-30T22:19:48Z https://community.cisco.com/t5/network-security/cisco-asa-outside-acl/m-p/1768316#M494483 <HTML><HEAD></HEAD><BODY><P>@a.hajhamad</P><P></P><P>Hi</P><P></P><P>I suspect something mis-configured in the object setup.</P><P></P><P>Below reference will assist you in identifying the issue.</P><P><A href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml#net">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml#net</A><A href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml</A></P><P></P><P>Note: If you just want to refer to an IP address of a Host use NAME rather than the object reference.</P><P></P><P>Hope this assist, Please rate.</P><P></P><P>Cheers</P><P>Lal Antony</P><P><A href="http://www.lalantony.com">www.lalantony.com</A></P></BODY></HTML> Mon, 31 Oct 2011 00:10:04 GMT https://community.cisco.com/t5/network-security/cisco-asa-outside-acl/m-p/1768316#M494483 lal.antony 2011-10-31T00:10:04Z https://community.cisco.com/t5/network-security/cisco-asa-outside-acl/m-p/1768317#M494495 <HTML><HEAD></HEAD><BODY><P><A _jive_internal="true" href="https://community.cisco.com/people/zulqurnain" id="jive-4571603996512195318802">zulqurnain</A>,</P><P>the ACL already applied at the outside interface.</P><P></P><P></P><P><A _jive_internal="true" href="https://community.cisco.com/people/lal.antony" id="jive-5566483996512251928802">Lal Antony</A>,</P><P>i applied the following ACE instead of the object and the same thing:</P><P>access-list outside extended permit tcp any host 82.213.59.59 eq smtp</P><P></P><P>Thanks</P></BODY></HTML> Mon, 31 Oct 2011 06:30:38 GMT https://community.cisco.com/t5/network-security/cisco-asa-outside-acl/m-p/1768317#M494495 a.hajhamad 2011-10-31T06:30:38Z https://community.cisco.com/t5/network-security/cisco-asa-outside-acl/m-p/1768318#M494496 <HTML><HEAD></HEAD><BODY><P><EM style="text-decoration: underline; "><STRONG> problem is resolved.</STRONG></EM></P><P>In OS 8.3 and 8.4 you have to specify the REAL ip address for the mail server instead of the mapped ip address.</P><P>access-list outside permit tcp any host x.x.x.x eq smtp</P><P></P><P>Thanks</P></BODY></HTML> Mon, 31 Oct 2011 07:11:42 GMT https://community.cisco.com/t5/network-security/cisco-asa-outside-acl/m-p/1768318#M494496 a.hajhamad 2011-10-31T07:11:42Z