12-08-2015 11:20 PM - edited 03-12-2019 12:01 AM
Hello,
we have in our demo lab one Exchange server and one Web server. From our provider we got a block of public ip addresses.
I want to use one public ip for nat for both server.
Exchange Server has 172.18.220.10
Web Server has 172.18.220.11
Both nat to public ip x.x.x.83 (inside to outside) These IP is not outside IP of ASA.
From outside HTTP/HTTPS for Web server and SMTP for Exchange are open.
I got on my ASA following message if nat rule active. "Deny IP due to Land Attack from x.x.x.83 to x.x.x.83"
My Nat configuration see below.
object network GSCMUC-Exch-WebSrv
range 172.18.220.10 172.18.220.11
object-group service DM_INLINE_TCP_16 tcp
port-object eq 587
port-object eq www
port-object eq https
port-object eq smtp
access-list outside_access_in extended permit tcp any object GSCMUC-Exch-WebSrv object-group DM_INLINE_TCP_16
object network GSCMUC-Exch-WebSrv
nat (DMZ-VLAN1820,outside) static x.x.x.83 net-to-net
I dont know, if configuration is correct. Any idea?
Regards
Matthias
Solved! Go to Solution.
12-08-2015 11:44 PM
Hi Matthias,
as per my understanding you have one outside and multiple inside IP and you would like to translate using the ports. Please correct me if my understanding about the issue is wrong.
You can configure the NAT like below.
object network GSCMUC-Exch-WebSrv
host 172.18.220.10
nat (lan,outside) static x.x.x.83 service tcp 80 www
object network GSCMUC-Exch-WebSrv-https
host 172.18.220.10
nat (lan,outside) static x.x.x.83 service tcp 443 443
object network GSCMUC-Exch-smtp
host 172.18.220.11
nat (lan,outside) static x.x.x.83 service tcp 25 25
Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts
12-08-2015 11:44 PM
Hi Matthias,
as per my understanding you have one outside and multiple inside IP and you would like to translate using the ports. Please correct me if my understanding about the issue is wrong.
You can configure the NAT like below.
object network GSCMUC-Exch-WebSrv
host 172.18.220.10
nat (lan,outside) static x.x.x.83 service tcp 80 www
object network GSCMUC-Exch-WebSrv-https
host 172.18.220.10
nat (lan,outside) static x.x.x.83 service tcp 443 443
object network GSCMUC-Exch-smtp
host 172.18.220.11
nat (lan,outside) static x.x.x.83 service tcp 25 25
Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts
12-09-2015 12:16 AM
Hi Shivapramod,
thanks for your answer so quickly. I changed the configuration and it looks good.
I think that is, because i get no messages about "Deny IP due to Land Attack from x.x.x.83 to x.x.x.83"
Thanks for your help. :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide