cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4318
Views
70
Helpful
64
Replies

ASA5508-X Using Block Of Static IP’s

fbeye
Level 4
Level 4

So I have my configuration able to Ping from the Router itself (GBit 1/1 using a Static IP set for PPPoE) and I see GBit 1/2 is the LAN 192.168.1.1 but I am having a heck of a time removing the DHCP / Nat and being able to use, at random (to be specificed on the device) my Block Of Static IP’s. I currently have no running-config that differs from default aside from the WAN but I am going in circles. I am using my Cisco 891f (which is set the way I liked it) as a reference and with an open mind to the fact this is far more technical but I am just lost.

 

64 Replies 64

Well I began small. I simply allowed Interface ‘tplink’ access to Interface ‘mail’ on Ports SMTP (25) and IMAP3 (993).

While monitoring the “live” log on my email server and trying to access the mail from the home LAN, I saw absolutely no activity on the Mail Server. I then changed it around from instead of allowing “Interface” access I would do the subnet, or the lan IP’s. All sorts of variation. No activity. So I went back to Interface access and then made a NAT translating 192.168.3.1 (TPLink) to 192.168.2.1 (Mail) and then all of a sudden I was getting incoming (to the mail) activity. I could send emails to my server. Every time I would send an email from the Email Server to my yahoo, I kept getting DNS errors and spam cop /spamhous errors and Relay (mostly) errors. I then left NAT as is but added a “domain” ACL to my email. Nothing I did would send out email without Relay and Unable to resolve host errors. 

At that point I realized that due to changing the default accesss of being able to access anything lower in security to having ACL’s that I could not even load a website. 

That is when I decided to set it all back to normal and simply change the 1/3 (Email) Interface to 99. All works fine as it should.

 

It has to be something with access to nameservers. 

 

Also, I wanted to mention;

 

I did not have the money for a switch so I am really just creating 3 Subnets whereas before we had the idea of 1/2 going to a switch and then plugging each device to that all on what would be 192.168.2.x 

 

1/1 is for ASDM 192.168.1.1

1/2 is TPLink 192.168.2.1

1/3 is Mail 192.168.3.1

 

I am assuming that is why I needed NAT to cross the Interfaces,

Matt

 

You said that when you changed 1/3 to 99 that it works. Does that mean that it works without nat? I am puzzled about why nat was needed when both are same security level and not needed when security level is different.

 

HTH

 

Rick

HTH

Rick

I apologize for the misunderstanding on my description..

 

While having 1/3 to Security 99 I do not need NAT. And

While both security levels of 1/2 and 1/3  were the same (100), unless I had something else configured wrong, it did not work correctly without the NAT.

I will again recreate the scenario step by step to verify...But prior level 99, it did not work (even with ACL'S) unless I NAT 1/3 Interface to 1/2 Interface.

Matt

 

Thank you for the clarification. Please do let us know the results when you recreate the scenario.

 

HTH

 

Rick

HTH

Rick
Review Cisco Networking for a $25 gift card