12-19-2011 03:30 PM - edited 03-11-2019 03:03 PM
Any ideas how this can be done on a ASA? There was a sonicwall in place but it just died and we do not have a replacement besides this ASA. The 24.172.x.132 is a spam filter and I can't change the IP address. It needs to be able to access one server in the LAN.
12-19-2011 03:52 PM
Hello Jason,
You could configure port forwarding for both the DMZ server and the Inside server.
What traffic do you need to route to the DMZ server
What traffic do you need to route to the Inside server
Regards,
Julio
12-19-2011 04:03 PM
Note: Both 24.172.X.X address are on the same subnet
I need both servers to send mail traffic back and forth.
12-19-2011 04:14 PM
Hello Jason,
They are on different subnets, but they get natted to the same Ip address, right? because inside is 10.x.x.x.x and dmz is x.x.x.x
The configuration would be:
static (inside,outside) tcp 24.172.x.x 2525 10.10.x.58 25
static (dmz,outside) tcp 24.172.x.x 25 x.x.x.x.x
Access-list outside_ in permit tcp any host 24.172.x.x eq 25
Access-list outside_ in permit tcp any host 24.172.x.x eq 2525
access-group outside_in in interface outside
Please rate helpful posts.
Regards,
Julio
12-19-2011 04:35 PM
Both 24.x.x.x address are on the same subnet. They are public IP addresses.
I have a outside, inside, and dmz namifs
I only have a ip address assigned to the outside and inside interface.
12-19-2011 05:33 PM
Hello Jason,
I know both 24.xx.xx.xx are on the same subnet, the ASA got to have different ip address configured on each interface ( it will separate the broadcast domain) unless you have an asa 5505 witch I think is the one you have.
Ok so to if you want to create this task this is what you need to do:
To allow just inbound traffic to the servers
-Provide a different private ip address to each server locally
-Create a port-forwarding rule for each server ( nat the local private ip address to the 24.x.x.x on the outside)
-Allow inbound access to the public ip address/port those servers on the outside.
To allow bi-directional traffic:
-Do a static one to one (Private ip address of the server / Public)
-Allow inbound access to the public ip address.
Regards,
Julio
12-20-2011 06:44 AM
Thanks for your help but I'm having a hard time following what you are trying to say. The IP scheme can not change and I know how to NAT private IP space for a DMZ.
I think the soultion would be to put a switch connected to the modem and then connect the ASA and spam server to the switch.
12-20-2011 09:07 AM
Hi Jason,
Based on your diagram -
Internet is your 'Outside' interface for the ASA (IP- 24.172.x.x)
DMZ will be another interface and the IP for the interface will be something like 10.x.x.x and all the hosts/server on DMZ will have ip 10.x.x.x.x with ASA DMZ interface as gateway. In general, the servers in the DMZ will be advertised to Internet with your public IP (24.172.x.x) using 'Static Nat' statements.
Inside is your Users segment / LAN.
So now the question is what is the physical address assigned to SPAM filter server? If it is 24.172.x.x- then you need to modify the diagram- as it is on the 'outside' interface of the ASA.
Being said that- Julio already provided you with solution. If you still have issues, please post correct topology.
hth
MS
12-20-2011 12:06 PM
Correct soultion:
Add a switch after the internet modem and connect the ASA and the spam filter to the switch. Then add a ACL to allow the spam filter's IP address to come to the inside network.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: