NAT Configuration on ASa5505 with asdm 7.1.4

Roberto Kippins · ‎05-20-2014

Hi I have a test mail server I want to access from the internet and I'm trying to configure nat I just have 2 vlans inside and outside and I want to use the ip address of the outside interface but the asdm config is confusing please see attached image. I just need help with what options to put where it is so much easier on the older version of asdm

Marvin Rhoads · ‎05-20-2014

It's actually easier to start with defining your mail server as an object and when you do that, configure the optional NAT section and advanced settings specifying the interfaces. Once you've applied that bit then go in an create (or an an entry to) the access-list and make it active on the outside interface (for incoming traffic.

I've used the ASDM demo version to show you (images below) what that looks like. It translates in commands delivered to the device as follows (your addresses will change obviously):

object network Mail_server host 10.10.10.10 description SMTP server nat (inside,outside) static 192.168.2.100

access-list outside_access_in extended permit tcp any object Mail_server eq smtp

access-group outside_access_in in interface outside

Roberto Kippins · ‎05-20-2014

Hi Marvin I tried this config and still no access from the outside keep in mind i am using the same ip address of the outside interface

Marvin Rhoads · ‎05-20-2014

When traffic isn't flowing as we want it to, a handy tool is the packet-tracer. You can use if from the GUI but it's quicker and in most cases easier to convey from the cli. If you could please run the following and share the output:

packet-tracer input outside tcp 8.8.8.8 1024 <your outside address> 25

That will analyze the flow of a hypothetical packet from the internet (8.8.8.8 = Google DNS server used here - you an use any public IP address) coming into your ASA on tcp/25 (smtp).