nat public ip(Email ip) to private ip

Muhammad Thanveer · ‎09-13-2012

I appreciate if any one could help.

I need to nat smtp and pop3 ips to my intranet ips and allow the traffic. so who ever comes via mpls must be able to communicate those ips with intranet ips.

for example my mpls network is 194.1.0.0/255.255.0.0

my intranet ips are 196.1.0.0/255.255.0.0

intranet people can access the mails via public ip there is no issue.

my challenge is only with users in mpls.

now the requirement is to nat the mail server ips to private intranet ip and allow the traffic to mpls users.

I am new to firewall.

Regards

Thanveer

varrao · ‎09-13-2012

Hi Muhammad,

Can you please share your configuration, it would be easier to have a look and suggest you what can be done. You cna sanitize the IP's if you want.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

Muhammad Thanveer · ‎09-13-2012

Please find the config

ASA Version 8.0(4)
!
hostname FIREWALL
enable password XXXXXXX encrypted
passwd XXXXXXX encrypted
names
name 193.168.112.0 duvvur description 193.168.112.0
name 193.168.114.0 KAJIPATHA description 193.168.114.0
name 193.168.110.0 Tanguturu
name 193.169.106.0 Chalakudy description 193.169.106.0
name 193.168.101.0 DakshinKannara description 193.168.101.0
name 117.293.49.141 VOIP_SITE description VOIP
!
interface Ethernet0/0
description ### connecting to Internet Vendor BSNL ####
nameif outside
security-level 0
ip address 117.293.49.130 255.255.255.240
ospf cost 10
!
interface Ethernet0/1
description ### connecting to MPLS link ####
nameif MPLS
security-level 100
ip address 10.225.163.165 255.255.255.252
ospf cost 10
!
interface Ethernet0/2
description ### connecting to Inside Network ####
nameif inside
security-level 100
ip address 193.169.200.4 255.255.255.240
ospf cost 10
!
interface Ethernet0/3
description ******Connected to Internet Vendor Reliance********
nameif ISP-2
security-level 0
ip address 115.150.254.251 255.255.255.248
!
interface Management0/0
nameif management
security-level 100
ip address 193.169.1.5 255.255.255.0
ospf cost 10
management-only
!
<--- More --->

banner login *************************************
banner login * WELCOM TO XXXX CORPORATE OFFICE*
banner login *************************************
banner motd *************************************
banner motd *Access for authorized personal only*
banner motd *************************************
banner motd WARNING: Unauthorized access to this system is forbidden and will be prosecuted by law. By accessing this system, you agree that your actions may be monitored if unauthorized usage is suspected.
banner asdm *************************************
banner asdm *Access for authorized personal only*
banner asdm *************************************
ftp mode passive
clock timezone IST 5 30
same-security-traffic permit inter-interface
object-group service WEB_SERVICES1
service-object tcp eq www
service-object tcp eq https
object-group network DM_INLINE_NETWORK_1
network-object DakshinKannara 255.255.255.0
network-object 193.169.114.0 255.255.255.0
network-object duvvur 255.255.255.0
network-object KAJIPATHA 255.255.255.0
network-object 193.169.111.0 255.255.255.0
network-object Tanguturu 255.255.255.0
network-object 193.169.107.0 255.255.255.0
network-object Chalakudy 255.255.255.0
network-object 193.169.115.0 255.255.255.0
network-object 193.169.117.0 255.255.255.0
network-object 193.169.116.0 255.255.255.0
network-object 193.169.108.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service VOIP-GROUP
description FOR XXXX SITE OFFICE
service-object ip
service-object tcp-udp eq sip
service-object tcp-udp source range 8000 9000 range 16384 32767
service-object tcp-udp eq talk
service-object tcp eq h323
object-group service VOIP tcp-udp
description VOIP SITE
port-object range 16384 32767
port-object eq sip
port-object eq talk
object-group service DM_INLINE_SERVICE_1
group-object WEB_SERVICES1
service-object tcp-udp eq 8080
object-group service mfarvision tcp-udp
description port for mfarvision
port-object eq 8080
object-group service Biometric tcp
description Port for Biometric finger access device
port-object eq 11000
object-group service DM_INLINE_TCP_1 tcp
group-object Biometric
port-object eq www
access-list InsidetoOutside extended permit ip any any
access-list InsidetoOutside extended permit ip 193.169.0.0 255.255.0.0 any
access-list InsidetoOutside extended deny ip any any
access-list acl_out extended deny ip host 67.21.84.165 any
access-list acl_out extended permit object-group WEB_SERVICES1 any host 117.293.49.133
access-list acl_out extended permit ip any host 117.293.49.132
access-list acl_out extended permit ip any host 117.293.49.134
access-list acl_out extended permit ip any host 117.293.49.135
access-list acl_out extended permit ip any host 117.293.49.136
access-list acl_out extended permit ip any host 117.293.49.137
access-list acl_out extended permit ip 172.30.2.0 255.255.255.0 193.169.50.0 255.255.255.0
access-list acl_out extended permit icmp 172.30.2.0 255.255.255.0 193.169.50.0 255.255.255.0
access-list acl_out extended permit tcp 172.30.2.0 255.255.255.0 193.169.50.0 255.255.255.0
access-list acl_out remark For Command Center VC
access-list acl_out extended permit ip any host 117.293.49.131
access-list acl_out extended permit ip any any inactive
access-list acl_out remark Biometric
access-list acl_out extended permit tcp any host 117.293.49.142 object-group DM_INLINE_TCP_1
access-list acl_out extended permit object-group TCPUDP any host VOIP_SITE range 12000 29999
access-list acl_out extended permit object-group TCPUDP any host VOIP_SITE range 8000 9000
access-list acl_out extended permit udp any host VOIP_SITE eq sip
access-list acl_out extended permit object-group DM_INLINE_SERVICE_1 any host 117.293.49.138
access-list acl_out extended deny ip any any
access-list MPLS_access_in extended permit ip any any
access-list MPLS_access_in extended permit icmp any any
access-list MPLS_access_in extended permit tcp any any
access-list MPLS_access_in extended permit udp any any
access-list MPLS_access_in extended permit object-group TCPUDP any host 193.169.5.6 eq sip
access-list inside_nat0_outbound extended permit ip 193.169.50.0 255.255.255.0 172.30.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any object-group DM_INLINE_NETWORK_1
access-list outside_1_cryptomap extended permit ip 193.169.50.0 255.255.255.0 172.30.2.0 255.255.255.0
access-list MPLS_RTR_access_in extended permit ip any any
access-list MPLS_RTR_access_in extended permit icmp any any
access-list MPLS_RTR_access_in extended permit tcp any any
access-list mpls extended permit tcp any any
access-list acl_mpls extended permit ip DakshinKannara 255.255.255.0 193.169.50.0 255.255.255.0
access-list MPLS_nat0_outbound extended permit ip any 193.169.13.192 255.255.255.192
access-list InsidetoISP-2 extended permit tcp any any
access-list InsidetoISP-2 extended permit icmp any any
access-list InsidetoISP-2 extended permit ip any any
<--- More --->

access-list outside_access_in_1 extended permit ip any any
access-list outside_access_in_1 extended permit object-group WEB_SERVICES1 any any
access-list ISP-2_access_in remark ERP Farvision
access-list ISP-2_access_in extended permit object-group WEB_SERVICES1 any host 115.150.254.251
access-list ISP-2_access_in remark EDMS Application Access
access-list ISP-2_access_in extended permit object-group WEB_SERVICES1 any host 115.150.254.254
pager lines 24
logging enable
logging asdm alerts
mtu outside 1500
mtu MPLS 1500
mtu inside 1500
mtu ISP-2 1500
mtu management 1500
ip local pool test 193.169.13.200-193.169.13.250 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any MPLS
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (MPLS) 1 interface
global (ISP-2) 1 interface
nat (MPLS) 0 access-list MPLS_nat0_outbound
<--- More --->

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 193.169.11.70 255.255.255.255
nat (inside) 1 193.169.2.0 255.255.255.0
nat (inside) 1 193.169.12.0 255.255.255.0
nat (inside) 1 193.169.13.0 255.255.255.0
nat (inside) 1 193.169.22.0 255.255.255.0
nat (inside) 1 193.169.50.0 255.255.255.0
nat (inside) 1 193.169.60.0 255.255.255.0
nat (inside) 1 193.169.90.0 255.255.255.0
nat (inside) 1 193.169.100.0 255.255.255.0
static (inside,outside) VOIP_SITE 193.169.5.6 netmask 255.255.255.255
static (inside,outside) 117.293.49.132 193.169.22.253 netmask 255.255.255.255
static (inside,outside) 117.293.49.134 193.169.12.254 netmask 255.255.255.255
static (inside,outside) 117.293.49.135 193.169.12.253 netmask 255.255.255.255
static (inside,outside) 117.293.49.137 193.169.2.253 netmask 255.255.255.255
static (inside,outside) 117.293.49.136 193.169.2.254 netmask 255.255.255.255
static (inside,outside) 117.293.49.131 193.169.22.254 netmask 255.255.255.255
static (inside,outside) 117.293.49.142 193.169.22.6 netmask 255.255.255.255
static (inside,outside) 117.293.49.133 193.169.50.48 netmask 255.255.255.255
static (inside,ISP-2) 115.150.254.251 193.169.50.48 netmask 255.255.255.255
static (inside,ISP-2) 115.150.254.254 193.169.22.19 netmask 255.255.255.255
access-group acl_out in interface outside
access-group MPLS_access_in in interface MPLS
access-group InsidetoOutside in interface inside
<--- More --->

access-group ISP-2_access_in in interface ISP-2
route ISP-2 0.0.0.0 0.0.0.0 115.150.254.249 1 track 1
route outside 0.0.0.0 0.0.0.0 117.293.49.129 254
route MPLS 10.224.163.0 255.255.255.0 10.224.163.166 1
route inside 193.169.0.0 255.255.0.0 193.169.200.1 1
route inside 193.169.2.0 255.255.255.0 193.169.200.1 1
route inside 193.169.5.0 255.255.255.0 193.169.200.1 1
route inside 193.169.11.0 255.255.255.0 193.169.200.1 1
route inside 193.169.12.0 255.255.255.0 193.169.200.1 1
route inside 193.169.13.0 255.255.255.0 193.169.200.1 1
route inside 193.169.22.0 255.255.255.0 193.169.200.1 1
route inside 193.169.32.0 255.255.255.0 193.169.200.1 1
route inside 193.169.33.0 255.255.255.0 193.169.200.1 1
route inside 193.169.50.0 255.255.255.0 193.169.200.1 1
route inside 193.169.60.0 255.255.255.0 193.169.200.1 1
route inside 193.169.90.0 255.255.255.0 193.169.200.1 1
route inside 193.169.100.0 255.255.255.0 193.169.200.1 1
route MPLS DakshinKannara 255.255.255.0 10.224.163.166 1
route MPLS Chalakudy 255.255.255.0 10.224.163.166 1
route MPLS 193.169.107.0 255.255.255.0 10.224.163.166 1
route MPLS 193.169.108.0 255.255.255.0 10.224.163.166 1
route MPLS Tanguturu 255.255.255.0 10.224.163.166 1
route MPLS 193.169.111.0 255.255.255.0 10.224.163.166 1
route MPLS KAJIPATHA 255.255.255.0 10.224.163.166 1
<--- More --->

route MPLS duvvur 255.255.255.0 10.224.163.166 1
route MPLS 193.169.114.0 255.255.255.0 10.224.163.166 1
route MPLS 193.169.115.0 255.255.255.0 10.224.163.166 1
route MPLS 193.169.116.0 255.255.255.0 10.224.163.166 1
route MPLS 193.169.117.0 255.255.255.0 10.224.163.166 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server TEST protocol radius
aaa-server TEST (inside) host 193.169.50.34
key venkatramu
radius-common-pw venkatramu
http server enable
http 193.169.0.0 255.255.0.0 inside
snmp-server host inside 193.169.22.232 community public
snmp-server location 193.169.22.232
snmp-server contact administrator
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 115.150.254.109 interface ISP-2
<--- More --->

frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 61.246.62.25
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
<--- More --->

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=FIREWALL
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=FIREWALL
keypair my.CA.key
crl configure
crypto ca server
shutdown
smtp from-address admin@FIREWALL.default.domain.invalid
crypto ca certificate chain ASDM_TrustPoint1
certificate 523f084f
    308201bf 30820128 a0030201 02020452 3f084f30 0d06092a 864886f7 0d010104
    05003024 310d300b 06035504 03130448 4f465731 13301106 092a8648 86f70d01
    09021604 484f4657 301e170d 31323031 30373132 34393232 5a170d32 32303130
    34313234 3932325a 3024310d 300b0603 55040313 04484f46 57311330 1106092a
    864886f7 0d010902 1604484f 46573081 9f300d06 092a8648 86f70d01 01010500
    03818d00 30818902 818100d9 3a9bc2b7 14fd06f5 3b0ca3cf 192cea69 e2af84e8
    a7d16b90 ec869fed 7fa8770d f1cf29b6 19712515 c1eaa2fe 3499b3a7 91a056ad
    e7b10758 61880f73 43ab7142 d2b9d075 2d54e565 565d61d0 5e37cab6 36509da6
<--- More --->

     762114ab 9863d38e 848de190 4f5272f7 7810da69 15dabfb6 2c71fcbb fc3551c4
    709b26ec 33a83245 b4d23b02 03010001 300d0609 2a864886 f70d0101 04050003
    81810091 e0099361 e3112e72 0d46091b 05f7f366 238dd061 df9ccb46 10bf7ef2
    0e163b7f 32629fc4 9dffd1ca 11c71bc6 21dab9ab 169b9494 5f0e5763 65901214
    221da921 6397c51f 067e31d8 c063b0c0 0be7e312 93b351ae 5871a213 c67d2a9c
    853c024d 7ca7b12c a9a8c477 2667ebfb 8d8dd6d4 9b0a6266 4789a1fc 8294f81b a3ed9b
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
track 1 rtr 123 reachability
telnet 193.169.0.0 255.255.0.0 inside
telnet timeout 30
ssh 193.169.0.0 255.255.0.0 inside
ssh timeout 30
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics host
<--- More --->

threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
enable inside
svc enable
tunnel-group-list enable
group-policy Test internal
group-policy Test attributes
dns-server value 193.169.50.31
vpn-tunnel-protocol IPSec
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec svc webvpn
username test password XXXXXXX encrypted privilege 0
username test attributes
vpn-group-policy Test
webvpn
svc ask enable default webvpn timeout 35
username XXXXADMIN password XXXXXXX.siM encrypted
username cisco password XXXXXXX encrypted privilege 15
tunnel-group 61.246.62.25 type ipsec-l2l
tunnel-group 61.246.62.25 ipsec-attributes
<--- More --->

pre-shared-key *
tunnel-group MyAnyconnectVPN type remote-access
tunnel-group MyAnyconnectVPN webvpn-attributes
group-alias XXXX enable
!
class-map SIP_CLASS
match rtp 2000 14383
class-map class_sip_tcp
match port tcp eq sip
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
description VOIP
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
<--- More --->

   inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
class class_sip_tcp
inspect sip
class SIP_CLASS
inspect sip
policy-map type inspect sip SIP_VOIP
description For SIP PRotocal
parameters
max-forwards-validation action drop log
match called-party regex _default_GoToMyPC-tunnel
drop log
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:fa8bcd2ba99d0f7498ba7ed8ad3caef8
: end

FIREWALL#

RegardsThanveer

Muhammad Thanveer · ‎09-14-2012

Any Hint

Regards

Thanveer

nkarthikeyan · ‎09-14-2012

Hi Tanveer,

Still your diagram and your requirement is not clear..... Please correct me if my understanding is wrong....

You have inside network, user via MPLS network & Outside (Internet) in your firewall..... Do u want to NAT the MPLS subnet to go internet for accessing the mail servers?????

Please clarify us so that we can look and suggest to help you in this.

By

Karthik

Muhammad Thanveer · ‎09-15-2012

Yes Karthik.

Your understanding is exactly correct.

Regards

Thanveer

varrao · ‎09-15-2012

Hi Muhammad,

If you just want to give the MPLS users access to internet, then you might have to just add this:

nat (MPLS) 1 0.0.0.0 0.0.0.0

Instead of all zero's you can also just specify the networks in MPLS network that need the access.

Hope that helps.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

nkarthikeyan · ‎09-15-2012

Hi Tanveer,

If that is the case you can have the NAT specified for MPLS interface for internet Access.

NAT(MPLS) 1

GLOBAL(OUTSIDE) 1 & ISP2 rules are already in place. So that will make this work....

I guess i still need more clarifications from you. But you just let me know if anything specific you are looking for.

Please do rate if the given information helps.

By

Karthik

Muhammad Thanveer · ‎09-17-2012

Dear Karthikeyan and Varun

first of all thank you for your cooperation.

I will explain you the actual scenario,

My mpls vendor will not allow any ip other than

10.224.163.0 and 193.168.0.0 range.Now when I try to trace the ip of public domain, it is getting struck at first hop i.e.., mpls user router.

now for example pop3 server ip is 124.7.36.110 then firewall should nat the same to 193.168.14.1(This ip and its series is no where published in my network) and send the request to orginal mail server ip and then when the request comes back to firewall, it should be able to send it to mpls users stating that the requested service has come from ip 193.168.14.1 send it to mpls users.

Thanks in Advance.

Regards

Thanveer

Muhammad Thanveer · ‎09-17-2012

Any help dear.

Regards

Thanveer

Muhammad Thanveer · ‎09-24-2012

Dear Friends,

How ever I have done natting at one of my MPLS routers which is connected to my firewall interface for my exchange ip.

Please find the config as below in Router and Firewall Respectively.

In router_MPLS

interface FastEthernet0/0

description *****Connected to ASA Firewall*****

ip address 10.225.163.166 255.255.255.252

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description *****MPLS LINK FROM RELIANCE ****$ES_LAN$

ip address 10.224.163.137 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

ip nat inside source static 124.7.36.110 192.169.14.1

ip route 124.7.36.110 255.255.255.255 10.225.163.165

In firewall

nat (mpls) 1 MPLS Interfaces example:-

nat (mpls) 1 192.168.113.0

nat (mpls) 1 192.168.114.0

nat (mpls) 1 192.168.101.0

nat (mpls) 1 192.168.106.0

nat (mpls) 1 192.168.108.0

nat (mpls) 1 192.168.110.0

nat (mpls) 1 192.168.111.0

nat (mpls) 1 192.168.107.0

nat (MPLS) 0 access-list MPLS_nat0_outbound.

access-list MPLS_nat0_outbound extended permit ip any 193.169.13.192 255.255.255.192

access-list MPLS_nat0_outbound extended permit ip any 192.169.0.0 255.255.255.0

access-list MPLS_nat0_outbound extended permit ip any any.

If I am adding the below command I am able to successfully do telent to my exchange with ports smtp and pop3 but i am unable to get the access to my proxy server which is there in my intranet.

access-list MPLS_nat0_outbound extended permit tcp any any

Request you to help in this Please

Regards

Thanveer

Muhammad Thanveer · ‎10-11-2012

Hi folks,

At last I have done it by natting MPLS_nat0_outbound adding inside interfaces allow policy.

no nat (MPLS) 0 access-list MPLS_nat0_outbound (old Nat rule removed)

no access-list MPLS_nat0_outbound extended permit ip any 193.169.13.192 255.255.255.192

(Old access-list removed)

Configuration of the commands with necessary rules.

access-list MPLS_nat0_outbound extended permit ip any 193.169.13.0 255.255.255.192

access-list MPLS_nat0_outbound extended permit ip any 193.169.11.0 255.255.255.0

access-list MPLS_nat0_outbound extended permit ip any 193.169.5.0 255.255.255.0

access-list MPLS_nat0_outbound extended permit ip any 193.169.12.0 255.255.255.0

access-list MPLS_nat0_outbound extended permit ip any 193.169.22.0 255.255.255.0

access-list MPLS_nat0_outbound extended permit ip any 193.169.32.0 255.255.255.0

access-list MPLS_nat0_outbound extended permit ip any 193.169.33.0 255.255.255.0

access-list MPLS_nat0_outbound extended permit ip any 193.169.50.0 255.255.255.0

access-list MPLS_nat0_outbound extended permit ip any 193.169.60.0 255.255.255.0

access-list MPLS_nat0_outbound extended permit ip any 193.169.90.0 255.255.255.0

access-list MPLS_nat0_outbound extended permit ip any 193.169.100.0 255.255.255.0

Re Nat the Access list

nat (MPLS) 0 access-list MPLS_nat0_outbound (Natted back the access list)

Allowing the Internet traffic for mails

nat (mpls) 1 192.168.113.0

nat (mpls) 1 192.168.114.0

nat (mpls) 1 192.168.101.0

nat (mpls) 1 192.168.106.0

nat (mpls) 1 192.168.108.0

nat (mpls) 1 192.168.110.0

nat (mpls) 1 192.168.111.0

nat (mpls) 1 192.168.107.0

Configuration done in MPLS router:

interface FastEthernet0/0

description *****Connected to ASA Firewall*****

ip address 10.224.x.x 255.255.255.252

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description *****MPLS LINK FROM RELIANCE ****$ES_LAN$

ip address 10.224.x.x 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

ip route mailip 255.255.255.255 firewall interface ip

ip nat inside source static public ip internal ip

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."