NAT translation - Page 2

Alfred · ‎10-18-2012

I have a DGway of 31.210.99.10/27 and i want to translate the ip addr to 192.168.xx.xx ( internal ip SNMP) to 31.210.99.xx/27

i did the commands

static (inside,outside) 31.210.99.xx 192.168.xx.xx metmask 255.255.255.255

access-list 101 permit tcp any host 31.21099.xx eq 25

access-group 101 in interface outside

And this is not working

This is not working Can some one help??

Julio Carvajal · ‎10-21-2012

Hello Alfred,

Yes, we know..

The configuration you have is the one required.

Now it looks like it's a server problem but just to make sure do the following and them attempt to connect:

access-list test123 permit tcp any host 38.xx.xx.xx.xx eq 25

nat (outside) 11 access-list test123 outside

global (inside) 11 interface

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Alfred · ‎10-22-2012

Hi,

Still no joy cant ping the mail server at all..

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group 101 in interface outside

access-list 101 extended permit tcp any host 38.210.x.x eq smtp

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: inspect-smtp

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect esmtp _default_esmtp_map

service-policy global_policy global

Additional Information:

Phase: 6

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (outside) 11 access-list test123 outside

match tcp outside any inside host 38.xx.xx.xxeq 25

dynamic translation to pool 11 (0.0.0.0 [Interface PAT])

translate_hits = 1, untranslate_hits = 0

Additional Information:

Dynamic translate 4.2.2.2/1025 to 0.0.0.0/54329 using netmask 255.255.255.255

Phase: 8

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (outside) 11 access-list test123 outside

match tcp outside any outside host 38.xx.xx.xx eq 25

dynamic translation to pool 11 (No matching global)

translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 9

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

static (inside,outside) 38.xx.xx.xx 192.168.xx.xx netmask 255.255.255.255

match ip inside host 192.168.xx.xx outside any

static translation to 38.xx.xx.xx

translate_hits = 0, untranslate_hits = 4

Additional Information:

Phase: 10

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,outside) 38.xx.xx.xx 192.168.xx.xx netmask 255.255.255.255

match ip inside host 192.168.xx.xx outside any

static translation to 38.xx.xx.xx

translate_hits = 0, untranslate_hits = 4

Additional Information:

Phase: 11

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 12

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 448872, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

Julio Carvajal · ‎10-22-2012

Hello,

Are you trying to ping it????

That is completely different, we have been working with the SMTP protocol not ICMP???

Please clear that out.

Remembe to rate all of the helpful posts, for us that is as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Alfred · ‎10-23-2012

im trying to go through the default gateway instead.whats the port number of a default gateway?

Julio Carvajal · ‎10-23-2012

Hello Alfred,

I am affraid you are not being clear enough,

I am sorry but I do not understand what you are trying to do.

I mean right now you should be trying to access the internal server on port 25. That's all we have done so far.

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC