Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
686
Views
0
Helpful
1
Replies

ASA 5505 Port Forwarding with Different IP Address

Abhishek Shah
Level 1
Level 1

‎12-28-2011 06:17 PM - edited ‎03-11-2019 03:07 PM

Hello everyone,

I have Cisco ASA 5505 Firewall with security plus license, Currently I open ports on 25,80,443 on public  IP address 1.1.1.1 and perform static nat

between the inside and outside IP address Such as i configured via CLI

access-list OUT_IN extended  permit tcp any host 1.1.1.1 eq  80

access-list OUT_IN extended  permit tcp any host 1.1.1.1 eq  443

access-list OUT_IN extended  permit tcp any host 1.1.1.1 eq  25

access-group OUT_IN in interface outside

static (inside,outside)  1.1.1.1 192.168.0.243

Which works great!!!

Since we change our Mail server IP address, i have to perfrom static nat on different IP and port 80, 443 on a different IP

For that i keep the access-list same

Change to

Static (inside,outside) interface tcp 80 192.168.0.243 tcp 80 netmask 255.255.255.255

Static (inside,outside) interface tcp 443 192.168.0.243 tcp 443 netmask 255.255.255.255

Static (inside,outside) interface tcp 25 192.168.0.11 tcp 25 netmask 255.255.255.255

Once i make change Email is not working!!!!!!!!!!!!!!!!

Labels:
0 Helpful
1 Reply 1

Julio Carvajal
VIP Alumni
VIP Alumni

‎12-28-2011 10:40 PM

Hello ,

Is this a typo

Static (inside,outside) interface tcp 80 192.168.0.243 tcp 80 netmask 255.255.255.255

Static (inside,outside) interface tcp 443 192.168.0.243 tcp 443 netmask 255.255.255.255

Static (inside,outside) interface tcp 25 192.168.0.11 tcp 25 netmask 255.255.255.255

????

Because it should be like this

Static (inside,outside)  tcp interface  80 192.168.0.243 tcp 80 netmask 255.255.255.255

Static (inside,outside)  tcp interface 443 192.168.0.243 tcp 443 netmask 255.255.255.255

Static (inside,outside) tcp interface  25 192.168.0.11 tcp 25 netmask 255.255.255.255

Now regarding the SMTP issue, it was working before on the other ip address, so sounds more like an Server issue.

Just to confirm it lets do a capture

access-list capout permit tcp any host xx.xx.xx ( Interface ip address) eq 25

access-list capout permit tcp host xxx.xx.xx.(interface ip address) eq 25 any

access-list capin permit tcp any host 192.168.0.11 eq 25

access-list capit permit tcp host 192.168.0.11 eq 25 any

capture capout access-list capout interface outside

capture capin access-list capin interface inside

capture asp type asp-drop all

Then inittiate some traffic from the outside to the server SMTP

I want you to go to a PC on the inside interface and then to a browser and get me the pcap files of those captures.

https:/xx.xx.xx/capture/capin/pcap          The xxxxx is the ip of the inside interface of the asa

https:/xx.xx.xx/capture/capout/pcap        The xxxxx is the ip of the inside interface of the asa

Finally provide me the show capture asp and the two files you download from the PC into this discussion.

Do please rate helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card