02-24-2025 09:26 AM
Hi
So I am just confused over the concepts, and google is not helping. It recites specifics, but nothing that explains.
So, for example. I have several WAN IPs and several LAN Networks [vlans] and will just be dealing with one.
First, I made a MANUAL Dynamic NAT; x.x.x.180 [WAN IP] to 192.168.1.0 [LAN Network] - - To me, that means associate ANY LAN IP 192.168.1.0/24 with WAN IP x.x.x.180. This works, no matter what IP on the 1.x LAN grabs the correct WAN IP.
Second, I make ACL's allowing for Incoming [WAN to LAN] access: Allow incoming from outside to inside 192.168.1.180 Port 25.
Still did not work. So then I made another manual NAT but static x.x.x.180 to 192.168.1.180. [I did not specify] ports.
Now it works, incoming and outgoing mail. But works does not mean works right. How does a NON PORT SPECIFIC 2nd Static NAT make it work? The NAT isn't saying anything about email port 25, so how does it know??
Solved! Go to Solution.
02-27-2025 12:33 PM - edited 02-27-2025 12:35 PM
Oh for the love of!!!
First of all, I rarely run firewall specifics on this type of server as only 2 ports open and ruled by the Cisco FPR but it just occurred to me several months back I fussed around with it and sure enough, 80 was blocked. I unblocked it and bam, Works.
How embarrassing.
02-24-2025 03:36 PM
First, I made a MANUAL Dynamic NAT; x.x.x.180 [WAN IP] to 192.168.1.0 [LAN Network] - - To me, that means associate ANY LAN IP 192.168.1.0/24 with WAN IP x.x.x.180. This works, no matter what IP on the 1.x LAN grabs the correct WAN IP.
This NAT is for the IP addresses on the inside LAN to be translated to the outside in a public IP - x.x.x.180
Second, I make ACL's allowing for Incoming [WAN to LAN] access: Allow incoming from outside to inside 192.168.1.180 Port 25.
The ACL is basically for inspecting traffic.
Still did not work. So then I made another manual NAT but static x.x.x.180 to 192.168.1.180. [I did not specify] ports.
This NAT is needed in order to permit outside traffic from the originating mail server to be translated to the real server IP - 192.168.1.180
Now it works, incoming and outgoing mail. But works does not mean works right. How does a NON PORT SPECIFIC 2nd Static NAT make it work? The NAT isn't saying anything about email port 25, so how does it know??
The "NON PORT SPECIFIC 2nd Static NAT" translates ALL ports for the specified IP address.
02-24-2025 04:08 PM
That all makes more sense… Would it be wise to indeed make them port specific? Or does it not matter as I do not have ACL’s permitting ports other than what I want anyway.
02-25-2025 02:22 AM
It's always a good idea to be very specific when it comes to firewall configuration. For that matter, I always configure as specific as possible the NAT and the ACL's.
02-27-2025 10:47 AM
Not to sound redundant, but do I need to make a NAT entry for any incoming port access alongside an ACL.
So, if I am doing 25, 443 and 80, do I make 3 NAT's?
02-27-2025 11:15 AM
Yes, you do have to configure 3 NAT entries, one for each port you intend to use - 25, 443, 80.
02-27-2025 11:22 AM - edited 02-27-2025 11:23 AM
Hi
Then I am doing something wrong.
I made a NAT entry for Port 80 and created an ACL for Port 80...NAT is a MANUAL NAT, Above the default NAT.
But when I do Letsencrypt [certificate maker] I get this error
Fetching http://mail.fbeye.org/.well-known/acme-challenge/IU4TxWtsgccFG7iQS3HMBqWAybIsQpmd9zLm-7oWrJU: Timeout during connect (likely firewall problem)
Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.
02-27-2025 11:28 AM
I can see that port 25 is opened on mail.fbeye.org, but port 80 and 443 is not.
What is the difference between port 25 NAT config and port 80 NAT config?
02-27-2025 11:30 AM
02-27-2025 11:34 AM
Can I see the NAT screenshot for port 25 as well please.
02-27-2025 11:38 AM
02-27-2025 11:46 AM
The NAT rule "fbeye_mail" is not restricted to any ports - it translates all ports on object group "fbeye_mail" to object group "fbeye_WAN".
What is NAT rule "fbeye_Networks"?
02-27-2025 11:49 AM - edited 02-27-2025 11:51 AM
So, starting from beginning.
I have a NAT, Dynamic rule associating ALL [LAN] 192.168.1.0/24 to [WAN] x.x.x.180
I then want to allow access [incoming] from 80 and 25, so I create two NEW NAT rules STATIC above the default NAT Rule. That is where I am at.
1.) associating LAN Network with WAN IP [reason for this is i simply want any IP on the 1.0 network to have the .180 WAN IP by default]
2.) creating incoming 25 rule and
3.) creating incoming 80 rule... ALL on WAN x.x.x.182 to LAN [Specific] 192.168.1.180
fbeye_network = 192.168.1.0/24
fbeye_mail = 192.168.1.180
fbeye_WAN = x.x.x.180 WAN IP
02-27-2025 12:08 PM
What other ACL rules do you have? Do you have an ACL rule permitting traffic from source interface "vlan2" to destination interface "outside"?
02-27-2025 12:13 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide