Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
741
Views
0
Helpful
1
Replies

Cisco 5510 ASA Multiple static to single Private IP!

Naveed Razaq
Level 1
Level 1

‎08-31-2010 10:32 PM - edited ‎03-11-2019 11:33 AM

Hi,

I am using Cisco ASA 5510 Firewall, Software Version 7.0(2) and Licensed features for this platform:
Maximum Physical Interfaces : 4
Maximum VLANs               : 0
Inside Hosts                : Unlimited
Failover                    : Disabled
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
Security Contexts           : 0
GTP/GPRS                    : Disabled
VPN Peers                   : 50

Issue:

I have a Barracuda Spam filter firewall having 192.168.1.2 IP address and 25 port is enabled. This firewall support multiple domains for spam filtering, Currently i was using single domain and it works fine for me, now i need to add one more domain to same spam filter, everything done on barracuda side, now when i add one more entery of live ip with same local 192.168.1.2 25 it gives me error:

us-firewall(config)# static (inside,outside) tcp 216.XXX.XX.12 smtp 192.168.1.2 smtp netmask 255.255.255.255
ERROR: duplicate of existing static
  TCP inside:192.168.1.2/25 to outside:216.XXX.XXX.23/25 netmask 255.255.255.255
Usage: [no] static [(real_ifc, mapped_ifc)]
                {<mapped_ip>|interface}
                {<real_ip> [netmask <mask>]} | {access-list <acl_name>}
                [dns]
                [[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]
                [udp <max_conns>]
        [no] static [(real_ifc, mapped_ifc)] {tcp|udp}
                {<mapped_ip>|interface} <mapped_port>
                {<real_ip> <real_port> [netmask <mask>]} |
                {access-list <acl_name>}
                [dns]
                [[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]
                [udp <max_conns>]

What i want ?

216.XXX.XXX.23--->192.168.1.2 smtp          (Old entery working fine)

and

216.XXX.XX.12--->192.168.1.2 smtp               (new entry not working)

*** Please note i can't change/add ip address on barracuda spam filter and can't change port, so just need two live IPs to same 192.168.1.2 ip address and port 25.

Solution: ?

Labels:
0 Helpful
1 Reply 1

Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎09-01-2010 05:20 AM

Hello,

You cannot map multiple public IPs to a single internal IP with straight

forward static statement. You need to configure policy NAT. Please try the

following:

access-list Mail1 permit tcp host 192.168.1.2 eq 25 any

access-list Mail2 permit tcp host 192.168.1.2 eq 25 any

static (inside,outside) tcp 216.XXX.XX.12 smtp access-list Mail1

static (inside,outside) tcp 216.XXX.XX.23 smtp access-list Mail2

Then make sure that you have allowed the traffic through the access-lists.

Hope this helps.

Regards,

NT

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card