Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1251
Views
0
Helpful
4
Replies

ASA5505 on external DHCP with PAT for internal www and smtp servers

Go to solution
Neil Cudmore
Level 1
Level 1

‎12-16-2013 05:37 PM - edited ‎03-11-2019 08:19 PM

Hi all,

I've been working on my ASA5505 quite happly with the old version of 8.2... for my 642-618 exam, but then it came to having a look at the 'upgrade' and I'm now running 9.1(3).....

Since it's 'only' at home I took the time to rearrange the home network's internal IP subnet numbering at the same time so I 'wiped' the old config and tried from scratch....

The problem I have is the way my ISP runs, the external IP whilst a static address has to connect via DHCP for ... actually no idea why.  But the connect requires the DHCP or I don't get a connection if I use a static address on the interface - so assume the dchp request triggers something on their routing...

So, my external interface connected to the adsl modem is:-

!

interface Vlan100

nameif outside

security-level 0

ip address dhcp setroute

Whilst the old 8.2 version I could run with:

! web

static (inside,outside) tcp interface 80 192.168.1.228 80 netmask 255.255.255.255 0 0

access-list acl_outside permit tcp any interface outside eq 80


!smtp

static (inside,outside) tcp interface 25 192.168.1.25 25 netmask 255.255.255.255 0 0

access-list acl_outside permit tcp any interface outside eq 25

for my servers to get traffic, I can't find any examples with the new post 8.3 IOS for doing this with an external DHCP address, they are all on static addresses.

I even had a quick look at doing this via the ADSM (7.1) , but couldn't find where I set the service (port) for the PAT in the Host.

Can someone please point me in the right direction, and confirm if the 642-618 is still the current one and if this is based on pre or post 8.3....

At the moment I real tempted to revert to 8.2, configure, then upgrade

Thanks in advance.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
jumora
Level 7
Level 7

‎12-16-2013 10:43 PM

Object network mail_local

host 192.168.1.25

nat (inside,outside) static interface service tcp 25 25

Object network web_local

host 192.168.1.228

nat (inside,outside) static interface service tcp 80 80

access-list inbound permit tcp any host 192.168.1.25 eq 25

access-list inbound permit tcp any host 192.168.1.228 eq 80

access-group inbound in interface outside

ASA Pre-8.3 to 8.3 NAT configuration examples

https://supportforums.cisco.com/docs/DOC-9129

Value our effort and rate the assistance!

Value our effort and rate the assistance!

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Neil Cudmore

‎12-18-2013 03:03 AM

yes, and thats the common way to configure that. The only thing is that you have to reference an "object" and not a host in your ACL:

access-list inbound permit tcp any object mail_server eq 25

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
jumora
Level 7
Level 7

‎12-16-2013 10:43 PM

Object network mail_local

host 192.168.1.25

nat (inside,outside) static interface service tcp 25 25

Object network web_local

host 192.168.1.228

nat (inside,outside) static interface service tcp 80 80

access-list inbound permit tcp any host 192.168.1.25 eq 25

access-list inbound permit tcp any host 192.168.1.228 eq 80

access-group inbound in interface outside

ASA Pre-8.3 to 8.3 NAT configuration examples

https://supportforums.cisco.com/docs/DOC-9129

Value our effort and rate the assistance!

Value our effort and rate the assistance!
0 Helpful

Go to solution
Neil Cudmore
Level 1
Level 1
In response to jumora

‎12-18-2013 02:12 AM

Thanks for this, but I now have a question...

could this be made more 'human' readable by using the following then?

Object network mail_server

host 192.168.1.25

nat (inside,outside) static interface service tcp 25 25

access-list inbound permit tcp any host mail_server eq 25

In the case of a large deployment with multipule servers, it would make it more 'human' friendly, so is this a case of it will note work, bad practice or will it just increase the load on the firewall cpu/memory?

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Neil Cudmore

‎12-18-2013 03:03 AM

yes, and thats the common way to configure that. The only thing is that you have to reference an "object" and not a host in your ACL:

access-list inbound permit tcp any object mail_server eq 25

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎12-16-2013 11:43 PM

the new config is already shown by jumora.

And for the new NAT-style you should also read Jounis Document on that topic:

https://supportforums.cisco.com/docs/DOC-31116

Can someone please point me in the right direction, and confirm if the 642-618 is still the current one and if this is based on pre or post 8.3....

The exam can test you on both the old style NAT and the 8.3+ implementation. So you should practice them both.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card