12-19-2013 12:11 AM - edited 03-11-2019 08:20 PM
Hi,
I've made object nat in the 5525-x firewall and give permission to these ports in the ACL. But we cannot access to these ports from outside? Are there any changes in these new firewall series?
Thanks.
object network xx_Exch_Rdp
nat (Inside,Outside) static interface service tcp 3389 3389
object network xx_Exch_Send
nat (Inside,Outside) static interface service tcp pop3 pop3
object network xx_Exch_Mapi
nat (Inside,Outside) static interface service tcp imap4 imap4
object network xx_Exch_Pop3
nat (Inside,Outside) static interface service tcp 587 587
object network xx_Exch_Smtp
nat (Inside,Outside) static y.y.y.z service tcp smtp smtp
12-19-2013 02:45 AM
The NAT looks fine. What about the ACL? Remember that you have to use the real-address in the ACL and not the public/natted address.
So the ACL would be something like:
permit tcp any object xx_Exch_Rdp eq 3389
permit tcp any object xx_Exch_Send eq pop3
...
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
12-19-2013 04:09 AM
I think also the ACL seems to me good... I'm using the real ip addresses. But you say to use the object I'm using the host keyword here... Is that wrong?
access-list Outside_access_in extended permit tcp any host PUBLIC_IP object-group DM_INLINE_TCP_1
object-group service DM_INLINE_TCP_1 tcp
port-object eq 3389
port-object eq 587
port-object eq www
port-object eq https
port-object eq imap4
port-object eq pop3
port-object eq smtp
12-19-2013 04:13 AM
The host-keyword is perfectly fine. But it seems that you use the public IP in your ACL and not the real address. You need to use the address that your Exchange-server has configured on the interface.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
12-19-2013 04:19 AM
Ok I then I will try with the real host ip address which is a private ip. But we were using the public ip address in the older firewalls like 5510 5520...
Thanks.
12-19-2013 04:22 AM
On the 5510/5520 you probably didn't use a version 8.3+. There it changed from public to real address.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
12-19-2013 04:26 AM
Thank you very much for the information. I will try these.
Regards.
12-23-2013 01:33 PM
These nat translations are two way translations is it right? So if the server wants to go to internet it will go from the natted ip ?
12-23-2013 02:33 PM
Yes and no ... ;-)
They can be used from both sides which is what static translations are used for. But they are restricted to the tcp-ports 3389/imap/pop3 ... on the server side. And as it is unlikely that the server initiates a connection with source-port 110/143/... you need an additional entry for outgoing connections.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide