08-31-2010 10:32 PM - edited 03-11-2019 11:33 AM
Hi,
I am using Cisco ASA 5510 Firewall, Software Version 7.0(2) and Licensed features for this platform:
Maximum Physical Interfaces : 4
Maximum VLANs : 0
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
VPN Peers : 50
Issue:
I have a Barracuda Spam filter firewall having 192.168.1.2 IP address and 25 port is enabled. This firewall support multiple domains for spam filtering, Currently i was using single domain and it works fine for me, now i need to add one more domain to same spam filter, everything done on barracuda side, now when i add one more entery of live ip with same local 192.168.1.2 25 it gives me error:
us-firewall(config)# static (inside,outside) tcp 216.XXX.XX.12 smtp 192.168.1.2 smtp netmask 255.255.255.255
ERROR: duplicate of existing static
TCP inside:192.168.1.2/25 to outside:216.XXX.XXX.23/25 netmask 255.255.255.255
Usage: [no] static [(real_ifc, mapped_ifc)]
{<mapped_ip>|interface}
{<real_ip> [netmask <mask>]} | {access-list <acl_name>}
[dns]
[[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]
[udp <max_conns>]
[no] static [(real_ifc, mapped_ifc)] {tcp|udp}
{<mapped_ip>|interface} <mapped_port>
{<real_ip> <real_port> [netmask <mask>]} |
{access-list <acl_name>}
[dns]
[[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]
[udp <max_conns>]
What i want ?
216.XXX.XXX.23--->192.168.1.2 smtp (Old entery working fine)
and
216.XXX.XX.12--->192.168.1.2 smtp (new entry not working)
*** Please note i can't change/add ip address on barracuda spam filter and can't change port, so just need two live IPs to same 192.168.1.2 ip address and port 25.
Solution: ?
09-01-2010 05:20 AM
Hello,
You cannot map multiple public IPs to a single internal IP with straight
forward static statement. You need to configure policy NAT. Please try the
following:
access-list Mail1 permit tcp host 192.168.1.2 eq 25 any
access-list Mail2 permit tcp host 192.168.1.2 eq 25 any
static (inside,outside) tcp 216.XXX.XX.12 smtp access-list Mail1
static (inside,outside) tcp 216.XXX.XX.23 smtp access-list Mail2
Then make sure that you have allowed the traffic through the access-lists.
Hope this helps.
Regards,
NT
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide