02-24-2016 12:53 AM - edited 03-12-2019 12:23 AM
Dears,
I have emails server server 10.10.10.249 hosted on-premise with public address NATed at ASA outside interface and recently installed application which require to allow a set of IPs to access the server the IPs are :-
74.201.84.80
74.201.152.59
74.201.154.214
165.254.168.201
I'm sure the server can reach all services outside but what shall I do??
The ASA Configuration
=========================================================================================================
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 82.X.x.x 255.255.255.252
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.10.2 255.255.255.0
access-list 120 extended permit ip 10.10.10.0 255.255.255.0 any
access-list 120 extended permit ip 10.10.11.0 255.255.255.0 any
access-list 120 extended permit ip 10.10.12.0 255.255.255.0 any
access-list 140 extended permit tcp any interface outside eq telnet
access-list 140 extended permit tcp any interface outside eq imap4
access-list 140 extended permit tcp any interface outside eq https
access-list 140 extended permit tcp any interface outside eq smtp
access-list 140 extended permit tcp any interface outside eq pop3
access-list 133 extended permit icmp any any
access-list no_nat extended permit ip 10.10.20.0 255.255.255.0 any
access-list no_nat extended permit ip any 10.10.20.0 255.255.255.0
access-list SMTP_Restrict extended permit tcp host 10.10.10.249 any eq smtp
access-list SMTP_Restrict extended deny tcp any any eq smtp
access-list SMTP_Restrict extended permit ip any any
nat (inside) 0 access-list no_nat
nat (inside) 1 access-list 120
static (inside,outside) tcp interface smtp 10.10.10.249 smtp netmask 255.255.255 .255
static (inside,outside) tcp interface https 10.10.10.249 https netmask 255.255.2 55.255
static (inside,outside) tcp interface pop3 10.10.10.249 pop3 netmask 255.255.255 .255
static (inside,outside) tcp interface imap4 10.10.10.249 imap4 netmask 255.255.2 55.255
static (inside,outside) tcp interface telnet 10.10.10.1 telnet netmask 255.255.2 55.255
access-group 140 in interface outside
access-group SMTP_Restrict in interface inside
route outside 0.0.0.0 0.0.0.0 82.147.202.137 1
route inside 10.10.11.0 255.255.255.0 10.10.10.1 1
route inside 10.10.12.0 255.255.255.0 10.10.10.1 1
============================================================================================================================
I think this rows should be omitted to resolve the issue
nat (inside) 0 access-list no_nat
access-list no_nat extended permit ip 10.10.20.0 255.255.255.0 any
access-list no_nat extended permit ip any 10.10.20.0 255.255.255.0
Solved! Go to Solution.
02-25-2016 06:10 AM
Here is an example of what you can do. But you will need to change make changes with regards to the ports so the correct public IP is translated with the correct port. And in turn you will then need to adjust the access-list configuration.
static (inside,outside) tcp 74.201.84.80 http 10.10.10.249 http
static (inside,outside) tcp 74.201.152.59 https 10.10.10.249 https
static (inside,outside) tcp 74.201.154.214 pop3 10.10.10.249 pop3
static (inside,outside) tcp 165.254.168.201 smtp 10.10.10.249 smtp
access-list 140 extended permit tcp any 74.201.84.80 eq http
access-list 140 extended permit tcp any 74.201.152.59 eq https
access-list 140 extended permit tcp any 74.201.154.214 eq pop3
access-list 140 extended permit tcp any 165.254.168.201 eq smtp
--
Please remember to select a correct answer and rate helpful posts
02-24-2016 04:20 AM
How do you figure that removing the no-nat will solve the issue? the no nat is defining an internal address of 10.10.20.0/24 while your server is on 10.10.10.249
you need to create a NAT statement for each of the public addresses pointing to the 10.10.10.249 server.
and then access-lists permitting the traffic.
Are you having issues with the original server setup using the outside interface?
--
Please remember to select a correct answer and rate helpful posts
02-25-2016 05:59 AM
Iam not sure how to do it? can you tell me what commands exactly?
02-25-2016 06:10 AM
Here is an example of what you can do. But you will need to change make changes with regards to the ports so the correct public IP is translated with the correct port. And in turn you will then need to adjust the access-list configuration.
static (inside,outside) tcp 74.201.84.80 http 10.10.10.249 http
static (inside,outside) tcp 74.201.152.59 https 10.10.10.249 https
static (inside,outside) tcp 74.201.154.214 pop3 10.10.10.249 pop3
static (inside,outside) tcp 165.254.168.201 smtp 10.10.10.249 smtp
access-list 140 extended permit tcp any 74.201.84.80 eq http
access-list 140 extended permit tcp any 74.201.152.59 eq https
access-list 140 extended permit tcp any 74.201.154.214 eq pop3
access-list 140 extended permit tcp any 165.254.168.201 eq smtp
--
Please remember to select a correct answer and rate helpful posts
02-25-2016 06:27 AM
what I want to allow internet public IP as I listed above to be able to accessing my email server.
I'm not sure but I think the direction should be from outside to inside.if I'm not wrong.
Thanks
02-25-2016 06:49 AM
The example I gave is from outside to inside. Static NAT i bidirectional. and access-list 140 is the access-list configured on the outside interface.
you need to figure out what port your email server is using. Normally it is port tcp/25 (smtp), outlook web access uses port tcp/443. If you do not know which port your mail server is using then I suggest you talk with the server administrator to find out.
--
Please remember to select a correct answer and rate helpful posts
02-25-2016 07:11 AM
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide