cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1116
Views
0
Helpful
19
Replies
Alfred
Beginner

NAT translation

I have a DGway of 31.210.99.10/27 and i want to translate the ip addr to  192.168.xx.xx ( internal ip SNMP) to 31.210.99.xx/27

i did the commands 

static (inside,outside) 31.210.99.xx 192.168.xx.xx metmask 255.255.255.255

access-list 101 permit tcp any host 31.21099.xx eq 25

access-group 101 in interface outside

And this is not working

This is not working Can some one help??

19 REPLIES 19
Julio Carvajal
Advisor

Hello Alfred,

Configuration looks good..

Let's start with a packet-tracer

packet-tracer input outside tcp 4.2.2.2  1025 31.210.99.xx 25

Let us know the result

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

you are using wrong port number SNMP works on 161 port number and your are giving SMTP port number i.e 25

atic (inside,outside) 31.210.99.xx 192.168.xx.xx metmask 255.255.255.255

access-list 101 permit udp any host 31.21099.xx eq 161

access-group 101 in interface outside

      please check and reply

Alfred
Beginner

Saurabn

i meant SMTP(port 25).the thing is i cannot even ping 192.168.xx.xx before and after the NAtting rule was applied.Went to this web site to test connectivity https://www.wormly.com/test_smtp_server  and nothing happened..dont know why.

Is there any thing missing here???Help please!!

Hello Alfred,

Configuration looks good..

Let's start with a packet-tracer

packet-tracer input outside tcp 4.2.2.2  1025 31.210.99.xx 25

Let us know the result

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

From where you are try to ping the 192.168.x.x IP address and if you want to test the setting please do the telent from your machine to

Public IP

exam:

telnet Public_IP 25

If it is successfull , it means your configuration is working fine

Show the status....

which IOS you are using on firewall

Check and let me knwo

IOS image used is 8.2(3) and ASDM 6..

Saurabh goe

no access to device at the moment will let u know of packet tracer..the thing is i cannot ping the SMTP server fromthe firewall even before the translation.

Hello Alfred,

Your SMTP server should be reachable from the firewall. You need to check the route  for the SMTP server and share the traceroute result to SMTP server from firewall. Might be it will help you to check the reachability of server

Saurabh ,

here is the packet tracer,

ASA(config)# packet-tracer input outside tcp 4.2.2.2  1025 31.xxx.9$

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

this is what was added:

static (inside,outside) 38.xx.xx.xx 192.168.xx.xx netmask 255.255.255.255

  access-list 101 permit tcp any host 38.xx.xx.xx eq 25

  access-group 101 in interface outside

hello to b on the safe side i deteledt the rule and added it again and i carry out the pacte tracer and the result:

ASA-1# packet-tracer input outside tcp 4.2.2.2  1025 31.xx.xx.xx 25

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (inside,outside) 31.xx.xx.xx  192.168.xx.xx netmask 255.255.255.255

  match ip inside host 192.168.98.35 outside any

    static translation to 31.210.233.69

    translate_hits = 0, untranslate_hits = 3

Additional Information:

NAT divert to egress interface inside

Untranslate 31.xx.xx.xx /0 to 192.168.xx.xx/0 using netmask 255.255.255.255

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group 101 in interface outside

access-list 101 extended permit tcp any host 38.xx.xx.xx.xx eq smtp

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: inspect-smtp

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect esmtp _default_esmtp_map

service-policy global_policy global

Additional Information:

Phase: 6

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

static (inside,outside) 31.xx.xx.xx  192.168.xx.xx netmask 255.255.255.255

  match ip inside host 192.168.xx.xx outside any

    static translation to 31.xx.xx.xx

    translate_hits = 0, untranslate_hits = 3

Additional Information:

Phase: 8

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,outside) 31.xx.xx.xx  192.168.xx.xx netmask 255.255.255.255

  match ip inside host 192.168.98.35 outside any

    static translation to 31.xx.xx.xx

    translate_hits = 0, untranslate_hits = 3

Additional Information:

Phase: 9

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 96282, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

saurabhgoel169
Beginner

Hi Albert,

Now its working fine for your..

Cheers

Saurabh

Saurabh goel

No not working

went to the web site https://www.wormly.com/test_smtp_server..Did some tests and nothing..its not working at all..Can you help or any body??..is there anymire access lus to be added,,thought i did this right.

Hello Alfred,

The ASA configuration is the one required now.

Do the following as a test in order to make sure this is a server issue:

access-list test123 permit tcp any host 38.xx.xx.xx.xx  eq 25

nat (outside) 11 access-list test123 outside

global (inside) 11 interface

Then give it a try, if this does not work captures will be taken next!

Any other question...Sure..Just remember to rate all of my posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello,

just wanted to confirm the internal mail server is 192.168.xx.xx

and the ip addr we want to come through the Fwall is 38.210.xx.18.and the gateway of the firewall is 38.210.xx.20

Create
Recognize Your Peers
Content for Community-Ad