Hot Downloads



The forum is in read only mode.
Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1

TOPIC: Static NAT problem?

Static NAT problem? 8 years 9 months ago #34546

Hi this is my first post, I found this forum while looking for more info on Cisco Firewalls.

I am working with a new ASA 5505, without the enhancements, no DMZ. I have the "outside" VLAN2 directly connected to our fiber connection, and the "inside" VLAN1 connected to our switch.

I have two addresses set up for static NAT, one being our mail server, the other being a web server. When the 5505 is plugged in, the users can get out to the internet, but no traffic comes in to our mail server, or web server from the outside. Also there is no communication from internet Outlook clients to the mail server.

I currently have a Checkpoint firewall in place with NAT rule for both servers, and it works fine. However Cisco firewalls are new to me and I'm not sure what I'm doing wrong.

Here is a sample of my config if anyone can help me out. is my ISP's connection to us is the outside of the 5505 is the intended outside of the mail server is the intended outside of the web server


name Active01 description DC, DNS #1
name Active02 description DC, DNS #2
name Inside_LAN description Local
name Outside description Fiber link
name Exchange1 description Mail Server SMTP,HTTP,HTTPS
name WEBSRVR1 description WEB Server #1 HTTPS
name WEB_Gateway description WEB Server WAN IP
name Mail_Gateway description eMail WAN IP
interface Vlan1
nameif inside
security-level 100
ip address
interface Vlan2
nameif outside
security-level 0
ip address
interface Ethernet0/0
switchport access vlan 2
speed 10
duplex full
interface Ethernet0/1
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
object-group network DNS_Servers
network-object host ADC01
network-object host ADC02
object-group service Web_Services tcp
port-object eq ftp
port-object eq www
port-object eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
access-list outside_in remark Network ICMP Ping reply inbound
access-list outside_in extended permit icmp any host WEBSRVR1 echo
access-list outside_in remark WEB Server Gateway RDP over HTTPs
access-list outside_in extended permit tcp any host Web_Gateway eq https
access-list outside_in remark OWA
access-list outside_in extended permit tcp any host Mail_Gateway object-group We
access-list outside_in remark Inbound eMail
access-list outside_in extended permit tcp any host Mail_Gateway eq smtp
access-list outside_in extended permit tcp any object-group DM_INLINE_NETWORK_1
eq https inactive
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp any any eq telnet
access-list inside_access_in extended permit tcp Inside_LAN any ob
ject-group Web_Services
access-list outbound remark Common Inernet Traffic
access-list outbound extended permit tcp Inside_LAN any object-gro
up Web_Services
access-list outbound extended permit tcp host EXCHANGE1 any eq smtp
access-list outbound remark NTP Time Sync
access-list outbound extended permit udp object-group DNS_Servers any eq ntp
access-list outbound remark DNS Traffic
access-list outbound extended permit object-group TCPUDP Inside_LAN 255.255.255.
0 any eq domain
access-list outbound remark AD Server Lock down
access-list outbound extended deny ip object-group DNS_Servers any
access-list outbound remark Network ICMP Ping outbound
access-list outbound extended permit icmp Inside_LAN any echo
access-list inside_nat0_outbound extended permit ip any 255.255.255.
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_HO mask
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm location EXCHANGE1 inside
asdm location Active01 inside
asdm location Active02 inside
asdm location WEBSRVR1 inside
asdm location Mail_Gateway inside
asdm location NCO inside
asdm location NC inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
static (outside,inside) EXCHANGE1 Mail_Gateway netmask
static (outside,inside) WEBSRVR1 Web_Gateway netmask
static (inside,outside) Mail_Gateway EXCHANGE1 netmask
access-group outbound in interface inside
access-group outside_in in interface outside
route outside 1

Re: Static NAT problem? 8 years 9 months ago #34558

anyone? Or is the wrong place to post this?

Re: Static NAT problem? 8 years 8 months ago #34564

  • r0nni3
  • r0nni3's Avatar
  • Offline
  • Distinguished Member
  • Distinguished Member
  • Posts: 107
  • Thank you received: 0
Hey WTF (yes WhiskyTangoFoxtrot :p ),

Try this:

no static (outside,inside) EXCHANGE1 Mail_Gateway netmask
no static (outside,inside) WEBSRVR1 Web_Gateway netmask
static (inside,outside) Web_Gateway WEBSRVR1

You turned around the inside and outside comments on the 1st 2 lines. The 3rd line is correct but wont work because the incorrect 1st line stands above it which will match 1st.

Let me know if it works ^^
Currently working as Cisco Engineer at Neon-Networking.

CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
  • Page:
  • 1
Time to create page: 0.099 seconds


Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V


  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup