Solved: Allow (outside) host to (inside)

terrencepayet · ‎05-21-2011

Hi Experts,

I have a ASA 5505 Sec Plus. I would like to allow outside hosts to our mail server and also our FTP server. So i would like to allow only SMTP, HTTP (for Outlook Web Access) and FTP.

Great if you guys can point me in the right direction.

Thanks,

Terence

varrao · ‎05-21-2011

Hi Terrence,

Well if that is the case, could you tell me the purpose of that nat statement. Because you already do have a static statement. If it is something extra, please remove it because its going to conflict with the static that you have added for the servers. NAT exempt always takes precedence over the static statement.

Moreover the packet tracer output doesn't contain anything. Could you just send the same output that you had in the previous zip file.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎05-21-2011

Hi Terrence.

You would need the folowing chceklists:

1. A NAT command, which would publish the servers to the outtside worls and for that you would need a public ip translation on the firewall.

2. You would need to create an access-list to allow outside users to access the servers on port ftp(21),smtp(25) and http (443).

Let me explain you with an example:

assume I have a mail server on the inside:

private ip - 192.168.1.2

public ip - 1.1.1.1

now I would need the following static command:

static (inside,outside) 1.1.1.1 192.168.1.2

access-list outside_access_in extended permit tcp any host 1.1.1.1 eq 25

access-group outside_access_in in interface outside.

this is all yo'll need.

Hope this helps,

P.S.-do rate helpful posts.

Thanks,

Varun

Thanks,
Varun Rao

terrencepayet · ‎05-21-2011

Hi Varun,

Thanks for your reply.

The thing is... I have only one public IP and it is on my outside interface.

Will i be able to NAT with same public IP to inside??

Thanks.

varrao · ‎05-21-2011

Hi Terence,

here is the solution,

Lets say the outside IP is 1.1.1.1

Then you would need an access-list to allow the traffic for port 25,21,443

access-list outside_access_in extended permit tcp any host 1.1.1.1 eq 21

access-list outside_access_in extended permit tcp any host 1.1.1.1 eq 25

access-list outside_access_in extended permit tcp any host 1.1.1.1 eq 443

access-group outside_access_inin interface outside

static (inside,outside) tcp interface 25 25

static (inside,outside) tcp interface 21 21

static (inside,outside) tcp interface 443 443

This is called static port forwarding. If you just have one publkic ip but multiple servers, you can use just the single port on that public ip ,instead of the whole ip.

I guess this is what you were loking for.

Thnaks,

Varun

Thanks,
Varun Rao

terrencepayet · ‎05-21-2011

Hi Varun,

Thanks again for your helpful post.

But i still cant access the services from outside. I've attached my config below.

Thanks,

terence

varrao · ‎05-21-2011

Hi Terence,

Does this access-list include the server's public ip as well???

access-list inside_nat0_outbound extended permit ip any 1XX.XXX.XXX.0 255.255.255.0

Also please send me an output of the following:

packet-tracer input outside tcp 1.1.1.1 80 80 detailed

This would help a lot.

Thanks,

Varun

Thanks,
Varun Rao

terrencepayet · ‎05-21-2011

Hi Varun,

Thanks.

The below IP in the access list is the public IP on the outside interface.

Find attached output.

Terence

varrao · ‎05-21-2011

Hi Terrence,

Well if that is the case, could you tell me the purpose of that nat statement. Because you already do have a static statement. If it is something extra, please remove it because its going to conflict with the static that you have added for the servers. NAT exempt always takes precedence over the static statement.

Moreover the packet tracer output doesn't contain anything. Could you just send the same output that you had in the previous zip file.

Thanks,

Varun

Thanks,
Varun Rao

terrencepayet · ‎05-21-2011

Hi Varun,

Thanks a million.

I"ve search the whole config over and over, and didn't found anything. There was guy before who were playing with the config.

The problem was with Exempt.

Again Thank you very much.

varrao · ‎05-21-2011

Hi Terrence,

Glad to know it worked for you, let me know if you have any further concerns. Also the statement in your config:

nat (inside) 1 access-list inside_nat_outbound

doesn't make sense, since you don;t have any access-list inside_nat_outbound.

Thanks,

Varun

Thanks,
Varun Rao

terrencepayet · ‎05-26-2011

hi Varun,

Now i have another scenario whereby i want to allow users coming from the DMZ interface(10.132.33.0/24, 10132.23.0/24, 10.132.66.0/24) access to our internal sql server(192.168.1.7) on the inside interface 192.168.1.0/24.

Can this be done?

Terence