cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1252
Views
0
Helpful
4
Replies

ASA5505 on external DHCP with PAT for internal www and smtp servers

Neil Cudmore
Level 1
Level 1

Hi all,

I've been working on my ASA5505 quite happly with the old version of 8.2... for my 642-618 exam, but then it came to having a look at the 'upgrade' and I'm now running 9.1(3).....

Since it's 'only' at home I took the time to rearrange the home network's internal IP subnet numbering at the same time so I 'wiped' the old config and tried from scratch....

The problem I have is the way my ISP runs, the external IP whilst a static address has to connect via DHCP for ... actually no idea why.  But the connect requires the DHCP or I don't get a connection if I use a static address on the interface - so assume the dchp request triggers something on their routing...

So, my external interface connected to the adsl modem is:-

!

interface Vlan100

nameif outside

security-level 0

ip address dhcp setroute

Whilst the old 8.2 version I could run with:

! web

static (inside,outside) tcp interface 80 192.168.1.228 80 netmask 255.255.255.255 0 0

access-list acl_outside permit tcp any interface outside eq 80


!smtp

static (inside,outside) tcp interface 25 192.168.1.25 25 netmask 255.255.255.255 0 0

access-list acl_outside permit tcp any interface outside eq 25

for my servers to get traffic, I can't find any examples with the new post 8.3 IOS for doing this with an external DHCP address, they are all on static addresses.

I even had a quick look at doing this via the ADSM (7.1) , but couldn't find where I set the service (port) for the PAT in the Host.

Can someone please point me in the right direction, and confirm if the 642-618 is still the current one and if this is based on pre or post 8.3....

At the moment I real tempted to revert to 8.2, configure, then upgrade

Thanks in advance.

2 Accepted Solutions

Accepted Solutions

jumora
Level 7
Level 7

Object network mail_local

host 192.168.1.25

nat (inside,outside) static interface service tcp 25 25

Object network web_local

host 192.168.1.228

nat (inside,outside) static interface service tcp 80 80

access-list inbound permit tcp any host 192.168.1.25 eq 25

access-list inbound permit tcp any host 192.168.1.228 eq 80

access-group inbound in interface outside

ASA Pre-8.3 to 8.3 NAT configuration examples

https://supportforums.cisco.com/docs/DOC-9129

Value our effort and rate the assistance!

Value our effort and rate the assistance!

View solution in original post

yes, and thats the common way to configure that. The only thing is that you have to reference an "object" and not a host in your ACL:

access-list inbound permit tcp any object mail_server eq 25

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

4 Replies 4

jumora
Level 7
Level 7

Object network mail_local

host 192.168.1.25

nat (inside,outside) static interface service tcp 25 25

Object network web_local

host 192.168.1.228

nat (inside,outside) static interface service tcp 80 80

access-list inbound permit tcp any host 192.168.1.25 eq 25

access-list inbound permit tcp any host 192.168.1.228 eq 80

access-group inbound in interface outside

ASA Pre-8.3 to 8.3 NAT configuration examples

https://supportforums.cisco.com/docs/DOC-9129

Value our effort and rate the assistance!

Value our effort and rate the assistance!

Thanks for this, but I now have a question...

could this be made more 'human' readable by using the following then?

Object network mail_server

host 192.168.1.25

nat (inside,outside) static interface service tcp 25 25

access-list inbound permit tcp any host mail_server eq 25

In the case of a large deployment with multipule servers, it would make it more 'human' friendly, so is this a case of it will note work, bad practice or will it just increase the load on the firewall cpu/memory?

yes, and thats the common way to configure that. The only thing is that you have to reference an "object" and not a host in your ACL:

access-list inbound permit tcp any object mail_server eq 25

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

the new config is already shown by jumora.

And for the new NAT-style you should also read Jounis Document on that topic:

https://supportforums.cisco.com/docs/DOC-31116

Can someone please point me in the right direction, and confirm if the 642-618 is still the current one and if this is based on pre or post 8.3....

The exam can test you on both the old style NAT and the 8.3+ implementation. So you should practice them both.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Review Cisco Networking for a $25 gift card