Solved: ASA 8.6 nat and access list for mail server

dave love · ‎10-31-2012

Trying to figure this all out. I'm getting untranslated hits. I posted the config I have so far.

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 10.1.1.1 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.240.253 255.255.255.0

access-list incoming permit tcp any host 10.1.1.4 eq smtp

access-group incoming in interface outside

object network smtp-inside

host 192.168.240.130

nat (inside,outside) static smtp-outside service tcp smtp smtp

object group smtp-outside

host 10.1.1.4

SHOW ACCESS-LIST INCOMING

access-list incoming line 1 extended permit tcp any host 10.1.1.4 eq smtp (hitcnt=0)

SHOW NAT

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static smtp-inside smtp-outside service tcp smtp smtp

translate_hits = 0, untranslate_hits = 12

PING 192.168.240.130

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.240.130, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Julio Carvajal · ‎11-07-2012

Hello Dave,

Inside an object group there can only be a nat command, so you will need to create different object networks containing the same IP or use Twice Nat.

So you have those 2 options,

Hope that I could help,

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Harish Balakrishnan · ‎10-31-2012

Hello Dave,

Please modify the acl as follows and let me know the result

access-list incoming permit tcp any host 192.168.240.130 eq smtp

regards

Harish

Please rate all helpful posts!

dave love · ‎11-01-2012

I'm trying to hit the mail server from the outside in this is the inside host.

Julio Carvajal · ‎11-01-2012

Hello Dave,

As Harish said you need to point the private IP, since 8.3 the ACL setup changed ( This means NAT goes first than the ACL check, that is why you must point the private ip address)

So do it like this

access-list incoming permit tcp any host 192.168.240.130 eq smtp

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

dave love · ‎11-06-2012

Thanks that worked. But now how do I make multiple port numbers for the same host?

It only allows one to one this way.

object network smtp-inside
host 192.168.240.130

nat (inside,outside) static smtp-outside service tcp smtp smtp

I need to say http, https, smtp all to the same host.

Julio Carvajal · ‎11-06-2012

Hello Dave,

well just do the same thing but change the services, and on the ACL make reference to the new services,

Regards,

Remember to rate all of the helpful posts and if you do not have any other question please mark it as answered

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

dave love · ‎11-07-2012

SO I don't use static tcp statements anymore. I just make separate object networks then assign them the port numbers via access lists. Do all the nat statements now need to be binded to the object groups? before I just made static statements now it seems I need to go into the object network and place the nat statement in there each time.I'm not sure I understand what nat statements mean outside of the object networks.

example that is working:

object network smtp-outside

host 10.1.1.4

object network smtp-inside
host 192.168.240.130

nat (inside,outside) static smtp-outside

access-list incoming extended permit tcp any object smtp-inside eq smtp

access-list incoming extended permit tcp any object smtp-inside eq 2500

Julio Carvajal · ‎11-07-2012

Hello Dave,

Inside an object group there can only be a nat command, so you will need to create different object networks containing the same IP or use Twice Nat.

So you have those 2 options,

Hope that I could help,

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC