Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
459
Views
0
Helpful
1
Replies

Problem moving NAT from Internet router to ASA 5505 for internal mail serve

bassono_t
Level 1
Level 1

‎12-24-2008 10:38 AM - edited ‎03-11-2019 07:29 AM

Hi all,

I am indroducing an ASA 5505 in my network which currently has NAT done on the Internet router conecting to the ISP. They are static NAT entries mapping to a mail server inside the network.

I now want to do NAT and also move the static entries to the mail on the ASA 5505 but I have only one public IP which is set on the outside of the Internet router.

Is there a way to get this work? Thanks for helping

Labels:
0 Helpful
1 Reply 1

JORGE RODRIGUEZ
Level 10
Level 10

‎12-24-2008 11:56 AM

Yes there is always a way with Cisco..:)

Say you need webserver port 80, RDP, and other mail TCP ports , say local mail server is 10.20.20.100 and only have outside interface as your only public IP address. In this example PLS apply the same principle for Mail ports tcp or upd etc..

static (inside,outside) tcp interface www 10.20.20.100 www netmask 255.255.255.255

static (inside,outside) tcp interface 3389 10.20.20.100 3389 netmask 255.255.255.255

static (inside,outside) tcp interface ftp 10.20.20.100 ftp netmask 255.255.255.255

static (inside,outside) tcp interface 21 10.20.20.100 23 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any interface outside eq www log

access-list outside_access_in extended permit tcp any interface outside eq 3389 log

access-list outside_access_in extended permit tcp any interface outside eq ftplog

access-list outside_access_in extended permit tcp any interface outside eq 23 log

access-group outbound_access_in in interface outside

or create a tcp service object group called mail_server_TCP and only use one inbound acl line using that object group

object-group service mail_server_TCP tcp

group-object eq www

port-object eq 3389

port-object eq ftp

port-object eq 23

access-list outside_access_in extended permit tcp any interface outside object-group mail_server_TCP

access-group outbound_access_in in interface outside

Use these examples bellow as ferences but keep in mind to use the keyword (interface) in your static NATs

and use the keyword ( interface outside ) in your inbound acls for using your outside interface public IP address.

Port Redirection(Forwarding) with nat, global, static

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml

Mail related links

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080683db5.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008067cf3b.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml

Regards

PLS rate post if it helped

Jorge Rodriguez
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card