https://community.cisco.com/t5/network-security/punching-a-hole/m-p/826723#M957200 <HTML><HEAD></HEAD><BODY><P>I do apologize , missed keyword <B>eq</B> . please try.</P><P></P><P>access-list outside_access_in extended permit tcp any interface outside eq smtp </P><P>access-list outside_access_in extended permit tcp any interface outside eq https </P><P>access-group outside_access_in in interface outside </P></BODY></HTML> Sat, 12 Jan 2008 00:06:48 GMT JORGE RODRIGUEZ 2008-01-12T00:06:48Z https://community.cisco.com/t5/network-security/punching-a-hole/m-p/826718#M957195 <P>I need to punch a whole through this ASA to get port 25 and 443 traffic through can someone give me the command to do that? </P><P></P><P>Currently it's a mail server on the other side of an ASA. I have the following Static on the ASA.</P><P></P><P>static (inside,outside) tcp 216.110.x.22 smtp 172.16.200.4 smtp netmask 255.255.255.255</P><P>static (inside,outside) tcp 216.110.x.22 https 172.16.200.4 https netmask 255.255.255.255</P><P></P><P>I added a line similar that went from (Outsie,Inside) but that didn't work. There's also an ACL saying to allow anything from the Internet to hit those servers for 25 and 443 any help would be greatly appreaciate as they havent had mail in 3 days.</P><P></P><P></P><P></P> Mon, 11 Mar 2019 11:46:54 GMT https://community.cisco.com/t5/network-security/punching-a-hole/m-p/826718#M957195 ixholla69 2019-03-11T11:46:54Z https://community.cisco.com/t5/network-security/punching-a-hole/m-p/826719#M957196 <HTML><HEAD></HEAD><BODY><P>Are you using outside interface IP address for your static translation? if so try.</P><P></P><P>static (inside,outside) tcp interface smtp 172.16.200.4 smtp netmask 255.255.255.255 </P><P>static (inside,outside) tcp interface https 172.16.200.4 https netmask 255.255.255.255 </P><P></P><P>then your access list should be applied to your outside interface</P><P></P><P>e.g</P><P></P><P></P><P>access-list outside_access_in extended permit tcp any host 216.110.x.22 eq smtp </P><P>access-list outside_access_in extended permit tcp any host 216.110.x.22 eq https</P><P>access-group outside_access_in in interface outside</P><P></P><P></P><P>Rgds</P><P>Jorge</P></BODY></HTML> Fri, 11 Jan 2008 21:01:34 GMT https://community.cisco.com/t5/network-security/punching-a-hole/m-p/826719#M957196 JORGE RODRIGUEZ 2008-01-11T21:01:34Z https://community.cisco.com/t5/network-security/punching-a-hole/m-p/826720#M957197 <HTML><HEAD></HEAD><BODY><P>Yeah that didn't seem to work <span class="lia-unicode-emoji" title=":confused_face:">😕</span></P></BODY></HTML> Fri, 11 Jan 2008 21:38:15 GMT https://community.cisco.com/t5/network-security/punching-a-hole/m-p/826720#M957197 ixholla69 2008-01-11T21:38:15Z https://community.cisco.com/t5/network-security/punching-a-hole/m-p/826721#M957198 <HTML><HEAD></HEAD><BODY><P>ok, then try</P><P></P><P><B>remove acl </B></P><P>no access-list outside_access_in extended permit tcp any host 216.110.x.22 eq smtp </P><P>no access-list outside_access_in extended permit tcp any host 216.110.x.22 eq https </P><P></P><P></P><P><B>re-enter acl</B></P><P></P><P>access-list outside_access_in extended permit tcp any interface outside smtp</P><P>access-list outside_access_in extended permit tcp any interface outside https</P><P>access-group outside_access_in in interface outside </P><P></P><P></P></BODY></HTML> Fri, 11 Jan 2008 22:55:30 GMT https://community.cisco.com/t5/network-security/punching-a-hole/m-p/826721#M957198 JORGE RODRIGUEZ 2008-01-11T22:55:30Z https://community.cisco.com/t5/network-security/punching-a-hole/m-p/826722#M957199 <HTML><HEAD></HEAD><BODY><P>I get a </P><P></P><P>access-list outside_access_in extended permit tcp any interface outside smtp</P><P> ^</P><P>ERROR: % Invalid input detected at '^' marker.</P><P></P></BODY></HTML> Fri, 11 Jan 2008 23:47:42 GMT https://community.cisco.com/t5/network-security/punching-a-hole/m-p/826722#M957199 ixholla69 2008-01-11T23:47:42Z https://community.cisco.com/t5/network-security/punching-a-hole/m-p/826723#M957200 <HTML><HEAD></HEAD><BODY><P>I do apologize , missed keyword <B>eq</B> . please try.</P><P></P><P>access-list outside_access_in extended permit tcp any interface outside eq smtp </P><P>access-list outside_access_in extended permit tcp any interface outside eq https </P><P>access-group outside_access_in in interface outside </P></BODY></HTML> Sat, 12 Jan 2008 00:06:48 GMT https://community.cisco.com/t5/network-security/punching-a-hole/m-p/826723#M957200 JORGE RODRIGUEZ 2008-01-12T00:06:48Z https://community.cisco.com/t5/network-security/punching-a-hole/m-p/826724#M957201 <HTML><HEAD></HEAD><BODY><P>If you are using MS Exchange servers, you need to disable fixup (or inspect) for smtp. </P><P></P><P>Satya</P></BODY></HTML> Sat, 12 Jan 2008 00:10:48 GMT https://community.cisco.com/t5/network-security/punching-a-hole/m-p/826724#M957201 sbaddipu 2008-01-12T00:10:48Z https://community.cisco.com/t5/network-security/punching-a-hole/m-p/826725#M957202 <HTML><HEAD></HEAD><BODY><P>%ASA-4-106023: Deny tcp src outside:24.20.x.93/1599 dst outside:216.110.x.22/25 by access-g roup "outside_access_in"</P><P></P></BODY></HTML> Sat, 12 Jan 2008 00:16:05 GMT https://community.cisco.com/t5/network-security/punching-a-hole/m-p/826725#M957202 ixholla69 2008-01-12T00:16:05Z https://community.cisco.com/t5/network-security/punching-a-hole/m-p/826726#M957203 <HTML><HEAD></HEAD><BODY><P>I wonder why that destination's showing up as Outside when it's coming in to an inside network ?</P></BODY></HTML> Sat, 12 Jan 2008 00:56:14 GMT https://community.cisco.com/t5/network-security/punching-a-hole/m-p/826726#M957203 ixholla69 2008-01-12T00:56:14Z