12-15-2012 01:11 PM - edited 03-11-2019 05:37 PM
Hi,
We just changed ISPs and now have a /29 routed subnet to be used on our ASA 5510 (8.4) instead of the one public ip we had before.
There are a couple of PAT translations that were previously setup on the "interface" address which i now want to assign to a different ip address further in my subnet.
So i just changed this:
object network BMMM
nat (inside,outside) static interface service tcp smtp smtp
to:
object network BMMM
nat (inside,outside) static other.external.ip.in.subnet service tcp smtp smtp
And assumed that this would work,
Sadly it does not, and this leaves me unable to contact that machine from the outside.
What am i doing wrong? And shoud i also change my access-list?
The relevant access-list rule is:
access-list outside_in extended permit tcp any object BMMM eq smtp
Thanks,
Dennes
12-15-2012 01:32 PM
Try
show xlate
clear xlate
12-15-2012 01:33 PM
Hi,
Do you want to still do Port Forward configurations like with the single IP address before? Or do you want to translate some LAN server address to their own public IP address?
The format for a typical Static NAT is
object network STATIC
host 10.10.10.10
nat (inside,outside) static 1.2.3.4
After this you could open any service you want/need for the LAN host mentioned above
access-list OUTSIDE-IN permit tcp any object STATIC eq smtp
But if you want to configure the port forwards with the new public IP addresses too it should be no problem.
- Jouni
12-15-2012 01:45 PM
I did the show and clear xlates, but to no avail.
I want it to be setup something like this:
interface WAN ip: 1.1.1.1
WAN ip 1.1.1.2 tcp/25 --> 192.168.1.10
WAN ip 1.1.1.2 tcp/443 --> 192.168.1.11
This should work, right?
12-15-2012 01:50 PM
Hi,
Yeah should be no problem
For example
interface GigabitEthernet0/0
nameif outside
security-level 0
ip add 1.1.1.1 255.255.255.248
object network PORTFORWARD-25
host 192.168.1.10
nat (inside,outside) static 1.1.1.2 service tcp 25 25
object network PORTFORWARD-443
host 192.168.1.11
nat (inside,outside) static 1.1.1.2 service tcp 443 443
access-list OUTSIDE-IN permit tcp any object PORTFORWARD-25 eq smtp
access-list OUTSIDE-IN permit tcp any object PORTFORWARD-443 eq 443
Have you checked what happens to the connection through either the logs or ASDM logging/monitoring?
- Jouni
12-15-2012 02:09 PM
Well.. This is embarrassing..
Turned out that everything is just fine, but a reboot of the Exchange virtual machine to which the PAT's go, caused it's address to change to a DHCP assigned address. Reset it back to the static LAN ip and it's working like a charm!
:-)
Thanks guys!
Dennes
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide