cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
872
Views
0
Helpful
5
Replies

Inbound Static Nat on ASA 8.3

mani.khatra
Level 1
Level 1

Hi,

Is it possible to configure a inbound static nat from multible public subnets to 1 internal mail server on an ASA 5510 with

Software Version 8.3(2)34.

Need to allow access  from the public subnets listed below to the internal mail server on port 25.

207.211.31.0/24

207.211.30.0/24

205.139.110.0/24

205.139.111.0/24

Thank You

5 Replies 5

Hello, Mani.

I would configure static network object NAT (unless you need to limit translation to the external servers only):

object-group network EXTERNAL_MAIL_SERVERS

network-object 207.211.30.0 255.255.254.0

network-object 205.139.110.0 255.255.254.0

object network INTERNAL_MAIL_SERVER

host 10.0.0.100

nat (inside, outside) static interface service tcp 25 25

access-list OUTSIDE_IN extended permit tcp object-group EXTERNAL_MAIL_SERVERS object INTERNAL_MAIL_SERVER eq 25

Thank you for the reply.

The external mail servers will need to forward to 154.11.11.30 a IP address in the firewall subnet range and then forwarded to 10.0.0.100. I will need to translate out bound mail to 154.11.11.30 and then out to the internet.

OutSide                                                     Firewall                      Mailserver inside

207.211.30.0 255.255.254.0     >         154.11.11.30       >           10.0.0.100

205.139.110.0 255.255.254.0              

Thank You

Hello.

If the IP-address (154.11.11.30) is the one that provider assigned you, then:

  • if the IP-address is assign on public ASA interface, then use configuration from my last post;
  • if it's not assigned to ASA's interface, but within public IP-range provider has assigned you, then adjust my last configuration with

object network INTERNAL_MAIL_SERVER

host 10.0.0.100

nat (inside, outside) static 154.11.11.30 service tcp 25 25

Once Again Thank You. I will be trying the config below provided by you. One question, is it possible to do this config in a manual nat?

object-group network EXTERNAL_MAIL_SERVERS

network-object 207.211.30.0 255.255.254.0

network-object 205.139.110.0 255.255.254.0

object network INTERNAL_MAIL_SERVER

host 10.0.0.100

nat (inside, outside) static 154.11.11.30 service tcp 25 25

access-list OUTSIDE_IN extended permit tcp object-group EXTERNAL_MAIL_SERVERS object INTERNAL_MAIL_SERVER eq 25

Hello.

One question, is it possible to do this config in a manual nat?

Not sure what did you mean as "manual nat".

If you are talking about ASDM, then, sorry, I've never used it to configure ASA (only to monitor).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: