Dear all,
The Cisco ASA firewall has been upgraded from version 8.2 to version 9.12 and the configuration done accordingly.
With the new configuration, the services are not working.
Thanks to advise on the solution.
Scenarios are as follows:
- Inbound Mail
- Web Mail
- Web Server
Version 8.2 Configuration:
Inbound ACL:
access-list out_in extended permit tcp any host Mail-Server-Public-IP eq smtp
access-list out_in extended permit tcp any host Web-Mail-Public-IP eq https
access-list out_in extended permit tcp any host Web-Server-Public-IP eq https
Outbound ACL:
access-list in_out extended permit ip y.y.y.y 255.255.255.0 any
NAT:
static (dmz,outside) tcp Mail-Server-Public-IP smtp Mail-Server-IP smtp netmask 255.255.255.255
static (inside,outside) tcp Web-Mail-Public-IP https Web-Mail-IP https netmask 255.255.255.255
static (inside,outside) tcp Web-Server-Public-IP https Web-Server-IP https netmask 255.255.255.255
global (outside) 1 z.z.z.z netmask 255.0.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
Version 9.12 Configuration:
Objects:
object network Mail-Server-IP
host a.a.a.a
object network Mail-Server-Public-IP
host b.b.b.b
object network Web-Mail-IP
host c.c.c.c
object network Web-Mail-Public-IP
host d.d.d.d
object network Web-Server-IP
host e.e.e.e
object network Web-Server-Public-IP
host f.f.f.f
object network OBJ-Internet
host x.x.x.x
object service OBJ-TCP-https
service tcp source eq https
Inbound ACL:
access-list out_in extended permit tcp any host Mail-Server-Public-IP eq smtp
access-list out_in extended permit tcp any host Web-Mail-Public-IP eq https
access-list out_in extended permit tcp any host Web-Server-Public-IP eq https
Outbound ACL:
access-list in_out extended permit ip y.y.y.y 255.255.255.0 any
NAT:
nat (dmz,outside) source static Mail-Server-IP Mail-Server-Public-IP
nat (inside,outside) source static Web-Mail-IP Web-Mail-Public-IP service OBJ-TCP-https OBJ-TCP-https
nat (inside,outside) source static Web-Server-IP Web-Server-Public-IP service OBJ-TCP-https OBJ-TCP-https
nat (inside,outside) after-auto source dynamic any OBJ-Internet description PAT
