10-18-2012 10:42 AM - edited 03-11-2019 05:11 PM
I have a DGway of 31.210.99.10/27 and i want to translate the ip addr to 192.168.xx.xx ( internal ip SNMP) to 31.210.99.xx/27
i did the commands
static (inside,outside) 31.210.99.xx 192.168.xx.xx metmask 255.255.255.255
access-list 101 permit tcp any host 31.21099.xx eq 25
access-group 101 in interface outside
And this is not working
This is not working Can some one help??
10-18-2012 10:53 AM
Hello Alfred,
Configuration looks good..
Let's start with a packet-tracer
packet-tracer input outside tcp 4.2.2.2 1025 31.210.99.xx 25
Let us know the result
10-18-2012 11:15 AM
you are using wrong port number SNMP works on 161 port number and your are giving SMTP port number i.e 25
atic (inside,outside) 31.210.99.xx 192.168.xx.xx metmask 255.255.255.255
access-list 101 permit udp any host 31.21099.xx eq 161
access-group 101 in interface outside
please check and reply
10-18-2012 11:53 AM
Saurabn
i meant SMTP(port 25).the thing is i cannot even ping 192.168.xx.xx before and after the NAtting rule was applied.Went to this web site to test connectivity https://www.wormly.com/test_smtp_server and nothing happened..dont know why.
Is there any thing missing here???Help please!!
10-18-2012 11:58 AM
Hello Alfred,
Configuration looks good..
Let's start with a packet-tracer
packet-tracer input outside tcp 4.2.2.2 1025 31.210.99.xx 25
Let us know the result
10-18-2012 11:59 AM
From where you are try to ping the 192.168.x.x IP address and if you want to test the setting please do the telent from your machine to
Public IP
exam:
telnet Public_IP 25
If it is successfull , it means your configuration is working fine
Show the status....
which IOS you are using on firewall
Check and let me knwo
10-18-2012 12:52 PM
IOS image used is 8.2(3) and ASDM 6..
no access to device at the moment will let u know of packet tracer..the thing is i cannot ping the SMTP server fromthe firewall even before the translation.
10-19-2012 12:02 AM
Hello Alfred,
Your SMTP server should be reachable from the firewall. You need to check the route for the SMTP server and share the traceroute result to SMTP server from firewall. Might be it will help you to check the reachability of server
10-19-2012 01:22 AM
Saurabh ,
here is the packet tracer,
ASA(config)# packet-tracer input outside tcp 4.2.2.2 1025 31.xxx.9$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
10-19-2012 01:28 AM
this is what was added:
static (inside,outside) 38.xx.xx.xx 192.168.xx.xx netmask 255.255.255.255
access-list 101 permit tcp any host 38.xx.xx.xx eq 25
access-group 101 in interface outside
10-19-2012 01:45 AM
hello to b on the safe side i deteledt the rule and added it again and i carry out the pacte tracer and the result:
ASA-1# packet-tracer input outside tcp 4.2.2.2 1025 31.xx.xx.xx 25
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) 31.xx.xx.xx 192.168.xx.xx netmask 255.255.255.255
match ip inside host 192.168.98.35 outside any
static translation to 31.210.233.69
translate_hits = 0, untranslate_hits = 3
Additional Information:
NAT divert to egress interface inside
Untranslate 31.xx.xx.xx /0 to 192.168.xx.xx/0 using netmask 255.255.255.255
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group 101 in interface outside
access-list 101 extended permit tcp any host 38.xx.xx.xx.xx eq smtp
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: inspect-smtp
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect esmtp _default_esmtp_map
service-policy global_policy global
Additional Information:
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) 31.xx.xx.xx 192.168.xx.xx netmask 255.255.255.255
match ip inside host 192.168.xx.xx outside any
static translation to 31.xx.xx.xx
translate_hits = 0, untranslate_hits = 3
Additional Information:
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) 31.xx.xx.xx 192.168.xx.xx netmask 255.255.255.255
match ip inside host 192.168.98.35 outside any
static translation to 31.xx.xx.xx
translate_hits = 0, untranslate_hits = 3
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 96282, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
10-19-2012 07:43 AM
Hi Albert,
Now its working fine for your..
Cheers
Saurabh
10-19-2012 08:20 AM
No not working
went to the web site https://www.wormly.com/test_smtp_server..Did some tests and nothing..its not working at all..Can you help or any body??..is there anymire access lus to be added,,thought i did this right.
10-19-2012 09:18 AM
Hello Alfred,
The ASA configuration is the one required now.
Do the following as a test in order to make sure this is a server issue:
access-list test123 permit tcp any host 38.xx.xx.xx.xx eq 25
nat (outside) 11 access-list test123 outside
global (inside) 11 interface
Then give it a try, if this does not work captures will be taken next!
Any other question...Sure..Just remember to rate all of my posts
10-21-2012 05:54 AM
Hello,
just wanted to confirm the internal mail server is 192.168.xx.xx
and the ip addr we want to come through the Fwall is 38.210.xx.18.and the gateway of the firewall is 38.210.xx.20
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide