08-16-2011 07:40 AM - edited 03-11-2019 02:12 PM
Dear boss
Please see my attachment.
I want to do static NAT 203.88.148.85 ->172.29.1.5 and 192.168.0.241->172.29.1.5
That means all outsider will get mail server by 203.88.148.85 and local user will get mail server by 192.168.0.241.
For that i did :
router :
interface GigabitEthernet0/0
ip address 203.88.148.84 255.255.255.248
ip nat outside
interface GigabitEthernet0/1
ip address 10.0.0.1 255.255.255.252
ip nat inside
ip route 0.0.0.0 0.0.0.0 203.88.148.81
ip route 172.29.1.0 255.255.255.0 10.0.0.2
ip route 192.168.0.0 255.255.255.0 10.0.0.2
ip nat pool IP_POOL 203.88.148.84 203.88.148.86 netmask 255.255.255.252
ip nat inside source list 1 pool IP_POOL overload
ip nat inside source static 172.29.1.5 203.88.148.85
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 172.29.1.0 0.0.0.255
ASA:
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.0.240 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 10.0.0.2 255.255.255.252
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 172.29.1.1 255.255.255.0
access-list OUTSIDE-IN extended permit ip any 172.29.1.0 255.255.255.0
static (DMZ,outside) 172.29.1.5 172.29.1.5 netmask 255.255.255.255
access-group OUTSIDE-IN in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
But i cant get 203.88.148.85 from internet and 203.88.148.81 from 172.29.1.5. same in case of local net.
what can i do now ? where my missing ?
can u help me plz .
thanks
shahid
08-16-2011 08:36 AM
Hi Shahid,
For the first part, the static should be:
access-list OUTSIDE-IN extended permit ip any 203.88.148.85 255.255.255.255
static (DMZ,outside) 203.88.148.85 172.29.1.5 netmask 255.255.255.255
For the second part,
static (inside,inside) 192.168.0.241 172.29.1.5
same-security-traffic permit intra interface
Hope this helps!
Regards,
Anu
P.S.Please mark this question as answered if it has been resolved. Do rate helpful posts.
08-16-2011 08:48 AM
dear Anu
I already did NAT in router, as static nat mapping on 172.29.1.5 itself in asa.
Is it wise to NAT again in ASA 5520 ?
Pls tell me
shahid
08-16-2011 11:05 AM
Hi Shahid,
Yes, in that case NAT should not be done on the ASA. The IP 203.88.143.85 is from the NAT pool IP_POOL. Could you have this IP be excluded from this pool and test?
Let me know.
Regards,
Anu
08-17-2011 01:28 AM
Hi Anu
when is use
ip nat inside source static 172.29.1.5 203.88.148.85 i dont get.
i just chaned ip nat inside source static tcp 172.29.1.5 25 203.88.148.85 25 and getting.
now i removed ip nat inside source static tcp 172.29.1.5 25 203.88.148.85 25 and still getting.
colud u pls differentiate two NAT.
Now I need to NAT 192.168.0.241 to 172.29.1.5 as 192.168.0.10 pc get mail server by 192.168.0.241.
Pls suggest me
Thanks
shahid
08-18-2011 01:33 AM
Hi Shahid,
The difference between those 2 NATs is that one NATs traffic that comes to port 25 and the other NATs all traffic that comes to 203.88.148.85. it is strange that changing the entries back and forth made the traffic go through. For the192.168.0.10 NAT, did you try:
static (inside,inside) 192.168.0.241 172.29.1.5
same-security-traffic permit intra interface
Let me know.
Regards,
Anu
08-18-2011 04:00 AM
Hi,
You didn't solve problem from the post in network infrastructure forum?
Regards.
Alain.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide