10-26-2011 06:41 AM - edited 03-11-2019 02:42 PM
Anyone
I'm realy confused now. Trying to do somthing I beleived was simple enough.
Scenario:
Using an ASA5505, have 1 static outside address, want to access an inside SBS-Server on SMTP, RDP (3389), HTTPS and port 987
Have configured network object nat rules using the asdm, SMTP works (I can telnet to the server on port 25 from outside), however for some reason I can not telnet inside and out on port 25, so outgoing mail does not work. RDP does not seem to work from outside, 987 I havent tested from outside. When I try to create a network object nat rule for https I get this message from the ASA:
[OK] object network SBS-HTTPS
object network SBS-HTTPS
[ERROR] nat (inside,outside) static interface service tcp https https
NAT unable to reserve ports.
also configured access rules for the mentioned ports, again using the asdm.
Please could anyone point me in the right direction here.
I AM STUCK
Attached the asa config file
br
hkl
10-26-2011 06:57 AM
Hi Kristian,
Can you try these nats.
Erase all those nats and acl's addeed for the servers and add these:
object network SBS-SMTP
host 192.168.10.9
object service RDP
service tcp destination eq 3389
object service SMTP
service tcp destination eq smtp
object service 987
service tcp destination eq 987
object service HTTPS
service tcp destination eq 443
object network SBS-RDP
host 192.168.10.9
object network SBS-HTTPS
host 192.168.10.9
object network SBS-987
host 192.168.10.9
nat (outside,inside) source static any any destination static interface SBS-SMTP service SMTP SMTP
nat (outside,inside) source static any any destination static interface SBS-RDP service RDP RDP
nat (outside,inside) source static any any destination static interface SBS-HTTPS service HTTPS HTTPS
nat (outside,inside) source static any any destination static interface SBS-987 service 987 987
and use these ACL's:
access-list outside_access_in extended permit tcp any object SBS-SMTP eq smtp
access-list outside_access_in extended permit any object SBS-RDP eq 3389
access-list outside_access_in extended permit tcp any object SBS-HTTPS eq https
access-list outside_access_in extended permit any object SBS-HTTPS eq 987
It shoudl definitely work, use the object services that are provided above.
Hope that helps.
Thanks,
Varun
10-26-2011 07:47 AM
Thanks for your response Varun
I delted all nat's access list, network objects and service object and after a bit fiddeling I got SMTP and RDP to work, havent tested the 987, but assumes that works to.
The challange now is that is still get the error msg when I try to add the NAT statement for https < nat="" unable="" to="" reserve="" ports="">>
Again I can not telnet inside and out on port 25, that does not make any sence to me, any ideas?
hkl
10-26-2011 08:56 AM
Ok
I hate my ISP, they block port 25, that explained the smtp problem.
Now it's just the https issue left.
hkl
10-27-2011 12:53 AM
SOLVED
The issue with https turned out to be because ASDM access was enabled on the outside interface, thus occuping port 443. The solution is to either turn it of or change the asdm access port to something else than 443.
Thanks for the help folks.
hkl
10-27-2011 01:13 AM
ohhhhh ok, thats good. But I could not see any ASDM enabled on the outside:
http server enable
http 192.168.10.0 255.255.255.0 inside
Thanks,
Varun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide