Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1181
Views
0
Helpful
5
Replies

Inbound Static Nat on ASA 8.3

mani.khatra
Level 1
Level 1

‎02-08-2014 04:31 PM - edited ‎03-11-2019 08:43 PM

Hi,

Is it possible to configure a inbound static nat from multible public subnets to 1 internal mail server on an ASA 5510 with

Software Version 8.3(2)34.

Need to allow access  from the public subnets listed below to the internal mail server on port 25.

207.211.31.0/24

207.211.30.0/24

205.139.110.0/24

205.139.111.0/24

Thank You

Labels:
0 Helpful
5 Replies 5

Vasilii Mikhailovskii
Level 7
Level 7

‎02-08-2014 11:12 PM

Hello, Mani.

I would configure static network object NAT (unless you need to limit translation to the external servers only):

object-group network EXTERNAL_MAIL_SERVERS

network-object 207.211.30.0 255.255.254.0

network-object 205.139.110.0 255.255.254.0

object network INTERNAL_MAIL_SERVER

host 10.0.0.100

nat (inside, outside) static interface service tcp 25 25

access-list OUTSIDE_IN extended permit tcp object-group EXTERNAL_MAIL_SERVERS object INTERNAL_MAIL_SERVER eq 25

0 Helpful

mani.khatra
Level 1
Level 1
In response to Vasilii Mikhailovskii

‎02-09-2014 10:17 AM

Thank you for the reply.

The external mail servers will need to forward to 154.11.11.30 a IP address in the firewall subnet range and then forwarded to 10.0.0.100. I will need to translate out bound mail to 154.11.11.30 and then out to the internet.

OutSide                                                     Firewall                      Mailserver inside

207.211.30.0 255.255.254.0     >         154.11.11.30       >           10.0.0.100

205.139.110.0 255.255.254.0              

Thank You

0 Helpful

Vasilii Mikhailovskii
Level 7
Level 7
In response to mani.khatra

‎02-09-2014 10:22 PM

Hello.

If the IP-address (154.11.11.30) is the one that provider assigned you, then:

  • if the IP-address is assign on public ASA interface, then use configuration from my last post;
  • if it's not assigned to ASA's interface, but within public IP-range provider has assigned you, then adjust my last configuration with

object network INTERNAL_MAIL_SERVER

host 10.0.0.100

nat (inside, outside) static 154.11.11.30 service tcp 25 25

0 Helpful

mani.khatra
Level 1
Level 1
In response to Vasilii Mikhailovskii

‎02-10-2014 11:57 AM

Once Again Thank You. I will be trying the config below provided by you. One question, is it possible to do this config in a manual nat?

object-group network EXTERNAL_MAIL_SERVERS

network-object 207.211.30.0 255.255.254.0

network-object 205.139.110.0 255.255.254.0

object network INTERNAL_MAIL_SERVER

host 10.0.0.100

nat (inside, outside) static 154.11.11.30 service tcp 25 25

access-list OUTSIDE_IN extended permit tcp object-group EXTERNAL_MAIL_SERVERS object INTERNAL_MAIL_SERVER eq 25

0 Helpful

Vasilii Mikhailovskii
Level 7
Level 7
In response to mani.khatra

‎02-11-2014 12:32 AM

Hello.

One question, is it possible to do this config in a manual nat?

Not sure what did you mean as "manual nat".

If you are talking about ASDM, then, sorry, I've never used it to configure ASA (only to monitor).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card