01-16-2012 04:43 AM - edited 03-11-2019 03:14 PM
if ASA 8.3 uses real IP address in ACL, why in this example "ASA 8.3 and Later: Mail (SMTP) Server Access on Inside Network Configuration Example" uses the public (natted) ip address for the smtp server ACL?
Solved! Go to Solution.
01-17-2012 01:18 AM
I agree !!
static (inside,outside) 209.165.201.15 10.1.1.6 netmask 255.255.255.255
!
access-list outside_in extended permit tcp any host 209.165.201.15
access-group outside_in in interface outside
object network obj-10.1.1.6
host 10.1.1.6
nat (inside,outside) static 209.165.201.15
!
access-list outside_in extended permit tcp any host 10.1.1.6
access-group outside_in in interface outside
01-16-2012 05:20 AM
Whatever will be the SMTP server IP on internet will have to add that IP on outside ACL to allow on port 25. It could be NAT IP or Public IP as well.
Can you post the statement from configuration where you have doubt?
Thanks
Ajay
01-16-2012 05:24 AM
In the example:
access−list smtp extended permit tcp any host 209.164.3.5 eq smtp
object network obj−192.168.2.0
subnet 192.168.2.0 255.255.255.0
nat (inside,outside) dynamic 209.164.3.129
Why doesn't use the real ip address in the acl?
01-16-2012 05:31 AM
Ok.
That traffic is originated from inside hosts. You should focus on -
object network obj-192.168.2.57
host 192.168.2.57
nat (inside,outside) static 209.164.3.5
For your SMTP question SMTP server is mapped one to one NAT so public identity would be 209.164.3.5 so ofcourse that is allowed in ACL.
Regarding configuration you have post has nothing to do with SMTP server that have mentioned the whole subnet /24 for outbound traffic.
NAT has order to process - nonat >static nat > dynamic nat> static pat >dynamic pat > like this.
Hope this help.
Thanks
Ajay
01-17-2012 12:53 AM
OK, sorry, of course, the smtp-server nat was:
object network obj−192.168.2.57
host 192.168.2.57
nat (inside,outside) static 209.164.3.5
But in the ACL is using public IP, not the real ip address as announces Release Notes or migration guide, which states:
"For example, formerly if you wanted to allow an outside host to access an inside host that used NAT, you
applied an inbound access list on the outside interface using the access-group command. In this
scenario, you needed to specify the mapped address of the inside host in the access list because that
address was the address that can be used on the outside network. Starting in 8.3, you need to specify the
real address in the access list."
In this Cisco Support Channel video (minute 3), the outside ACL uses the real ip address, not the public-natted one
So my question is:
In the ACL, do I have to use the real ip (like the video) or the natted-ip (like the smtp example)?
Thanks
01-17-2012 01:01 AM
Hi
Use real IP address:
e.g.
access−list smtp extended permit tcp any host 192.168.2.57 eq smtp
01-17-2012 01:18 AM
I agree !!
static (inside,outside) 209.165.201.15 10.1.1.6 netmask 255.255.255.255
!
access-list outside_in extended permit tcp any host 209.165.201.15
access-group outside_in in interface outside
object network obj-10.1.1.6
host 10.1.1.6
nat (inside,outside) static 209.165.201.15
!
access-list outside_in extended permit tcp any host 10.1.1.6
access-group outside_in in interface outside
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide