01-31-2015 06:56 AM - edited 03-11-2019 10:25 PM
Hi guys.
I am completely lost with my asa 5505.
No props forwarding ports on other cisco routers but this device is driving me nuts.
I have tried countless setups and followed so many examples. I have seriously no clue anymore.
I just want my 25 be forwarded to my mail server on the dmz interface.
I put my config in the attachements ( incl sh nat, sh acl)
What I already tried was nat on the objects itself.
acl with and without objects
The strange thing is that no counters of the nat or acl are running up if I telnet on port 25 from an outside machine.
Also the syslog server doesn't show anything blocking on port 25.
My packet trace.
RTR01# packet-tracer input outside tcp 4.4.4.2 smtp 192.168.101.10 25
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.101.0 255.255.255.0 DMZ
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_acl in interface outside
access-list outside_acl extended permit tcp any object srv-192.168.101.10 eq smtp log debugging
Additional Information:
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (DMZ,outside) source dynamic any interface
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
sh nat
Solved! Go to Solution.
02-01-2015 10:08 AM
Hi Walter,
The problem seems to be related to order of operation of NAT statements.
nat (DMZ,outside) source dynamic any interface
nat (DMZ,outside) source static srv-192.168.101.10 interface service tcp-25 tcp-25
Check "Show Nat", your SMTP NAT statement must come before your dynamic NAT statement.
Twice NAT statements are executed in the order they are configured.
02-01-2015 10:08 AM
Hi Walter,
The problem seems to be related to order of operation of NAT statements.
nat (DMZ,outside) source dynamic any interface
nat (DMZ,outside) source static srv-192.168.101.10 interface service tcp-25 tcp-25
Check "Show Nat", your SMTP NAT statement must come before your dynamic NAT statement.
Twice NAT statements are executed in the order they are configured.
02-01-2015 11:28 PM
Poonam,
Thank you for your reply.
I have changed a few things after this and it works now after weeks of trial and error.
What I changed
I removed the NAT rule on object network srv-192.168.101.10
I created an object service MAIL
service tcp source eq smtp
I removed the object service TCP-25 because that would constantly giving me an error that it was not mapped ?
I created a manual NAT rule
nat (DMZ,outside) 1 source static srv-192.168.101.10 interface service MAIL MAIL
My acl was already in place. A telnet from a remote machine on port 25 works perfectly.
sh nat
Manual NAT Policies (Section 1)
1 (DMZ) to (outside) source static srv-192.168.101.10 interface service MAIL MAIL
translate_hits = 1, untranslate_hits = 1
2 (DMZ) to (outside) source dynamic DMZ interface
translate_hits = 87, untranslate_hits = 0
3 (inside) to (outside) source dynamic inside interface
translate_hits = 32, untranslate_hits = 0
So probably the auto nat function didn t work. For me I need to find out why the first time the rule under the object came under the auto nat functions.
Learned a lot this time.
SO problem solved
02-01-2015 11:37 PM
Hi Walter,
I am happy to hear that your problem resolved.
Kindly rate the solution, if it helped you so that it will also be helpful to others.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide