cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
982
Views
0
Helpful
4
Replies

Cisco ASA outside ACL

a.hajhamad
Level 4
Level 4

Hello all,

my network is:

Cisco ASA 5510 outside, DMZ1, and inside interfaces.

Mail server real IP is: x.x.x.x/24

Mapped IP: y.y.y.y/27

I have mail server inside the DMZ1 and i did auto static NAT as follows:

the auto static NAT config:

object network EDGE-SVR-PRIV

host x.x.x.x

nat (DMZ1,outside) static y.y.y.y

!

!

the outside interface IP address is y.y.y.z/27

the access list applied at the outside interface is named outside:

access-list outside permit tcp any object EDGE-SVR-PRIV eq smtp

!

my problem is:

i can't access the mail server from the outside by trying (telnet y.y.y.y 25), after many investigations i applied the following command and it works!!!

access-list outside permit tcp any any eq smtp

why is that?

Thanks

4 Replies 4

zulqurnain
Level 3
Level 3

Hi,

As a thumb rule if you want to let traffic flow from lower security interface to higher security interface I.e. if you wants someone from outside to connect to inside resource then you need to have an access-list allowing that traffic to flow inside along with your static command.

HTH

Sent from Cisco Technical Support iPad App

lal.antony
Level 1
Level 1

@a.hajhamad

Hi

I suspect something mis-configured in the object setup.

Below reference will assist you in identifying the issue.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml#nethttp://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800d641d.shtml

Note: If you just want to refer to an IP address of a Host use NAME rather than the object reference.

Hope this assist, Please rate.

Cheers

Lal Antony

www.lalantony.com

zulqurnain,

the ACL already applied at the outside interface.

Lal Antony,

i applied the following ACE instead of the object and the same thing:

access-list outside extended permit tcp any host 82.213.59.59 eq smtp

Thanks

problem is resolved.

In OS 8.3 and 8.4 you have to specify the REAL ip address for the mail server instead of the mapped ip address.

access-list outside permit tcp any host x.x.x.x eq smtp

Thanks

Review Cisco Networking for a $25 gift card