Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Static NAT problem?

Static NAT problem? 6 years 6 months ago #34546

Hi this is my first post, I found this forum while looking for more info on Cisco Firewalls.

I am working with a new ASA 5505, without the enhancements, no DMZ. I have the "outside" VLAN2 directly connected to our fiber connection, and the "inside" VLAN1 connected to our switch.

I have two addresses set up for static NAT, one being our mail server, the other being a web server. When the 5505 is plugged in, the users can get out to the internet, but no traffic comes in to our mail server, or web server from the outside. Also there is no communication from internet Outlook clients to the mail server.

I currently have a Checkpoint firewall in place with NAT rule for both servers, and it works fine. However Cisco firewalls are new to me and I'm not sure what I'm doing wrong.

Here is a sample of my config if anyone can help me out.
83.250.152.153 is my ISP's connection to us
83.250.152.154 is the outside of the 5505
83.250.152.155 is the intended outside of the mail server
83.250.152.156 is the intended outside of the web server

Thanks,

B
name 192.168.1.7 Active01 description DC, DNS #1
name 192.168.1.8 Active02 description DC, DNS #2
name 192.168.1.0 Inside_LAN description Local
name 83.250.152.152 Outside description Fiber link
name 192.168.1.4 Exchange1 description Mail Server SMTP,HTTP,HTTPS
name 192.168.1.16 WEBSRVR1 description WEB Server #1 HTTPS
name 83.250.152.156 WEB_Gateway description WEB Server WAN IP
name 83.250.152.155 Mail_Gateway description eMail WAN IP
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.3 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 83.250.152.154 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
speed 10
duplex full
!
interface Ethernet0/1
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
domain-name plaspscc.net
object-group network DNS_Servers
network-object host ADC01
network-object host ADC02
object-group service Web_Services tcp
port-object eq ftp
port-object eq www
port-object eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
access-list outside_in remark Network ICMP Ping reply inbound
access-list outside_in extended permit icmp any host WEBSRVR1 echo
access-list outside_in remark WEB Server Gateway RDP over HTTPs
access-list outside_in extended permit tcp any host Web_Gateway eq https
access-list outside_in remark OWA
access-list outside_in extended permit tcp any host Mail_Gateway object-group We
b_Services
access-list outside_in remark Inbound eMail
access-list outside_in extended permit tcp any host Mail_Gateway eq smtp
access-list outside_in extended permit tcp any object-group DM_INLINE_NETWORK_1
eq https inactive
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp any any eq telnet
access-list inside_access_in extended permit tcp Inside_LAN 255.255.255.0 any ob
ject-group Web_Services
access-list outbound remark Common Inernet Traffic
access-list outbound extended permit tcp Inside_LAN 255.255.255.0 any object-gro
up Web_Services
access-list outbound extended permit tcp host EXCHANGE1 any eq smtp
access-list outbound remark NTP Time Sync
access-list outbound extended permit udp object-group DNS_Servers any eq ntp
access-list outbound remark DNS Traffic
access-list outbound extended permit object-group TCPUDP Inside_LAN 255.255.255.
0 any eq domain
access-list outbound remark AD Server Lock down
access-list outbound extended deny ip object-group DNS_Servers any
urs
access-list outbound remark Network ICMP Ping outbound
access-list outbound extended permit icmp Inside_LAN 255.255.255.0 any echo
access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.
128
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_HO 192.168.2.20-192.168.2.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm location EXCHANGE1 255.255.255.255 inside
asdm location Active01 255.255.255.255 inside
asdm location Active02 255.255.255.255 inside
asdm location WEBSRVR1 255.255.255.255 inside
asdm location Mail_Gateway 255.255.255.255 inside
asdm location NCO 255.255.255.255 inside
asdm location NC 255.255.255.255 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (outside,inside) EXCHANGE1 Mail_Gateway netmask 255.255.255.255
static (outside,inside) WEBSRVR1 Web_Gateway netmask 255.255.255.255
static (inside,outside) Mail_Gateway EXCHANGE1 netmask 255.255.255.255
access-group outbound in interface inside
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 83.250.152.153 1
The administrator has disabled public write access.

Re: Static NAT problem? 6 years 6 months ago #34558

anyone? Or is the wrong place to post this?
The administrator has disabled public write access.

Re: Static NAT problem? 6 years 6 months ago #34564

  • r0nni3
  • r0nni3's Avatar
  • Offline
  • Distinguished Member
  • Posts: 107
  • Karma: 0
Hey WTF (yes WhiskyTangoFoxtrot :p ),

Try this:

[code:1]
no static (outside,inside) EXCHANGE1 Mail_Gateway netmask 255.255.255.255
no static (outside,inside) WEBSRVR1 Web_Gateway netmask 255.255.255.255
!
static (inside,outside) Web_Gateway WEBSRVR1
[/code:1]

You turned around the inside and outside comments on the 1st 2 lines. The 3rd line is correct but wont work because the incorrect 1st line stands above it which will match 1st.

Let me know if it works ^^
Currently working as Cisco Engineer at Neon-Networking.

Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
The administrator has disabled public write access.
Time to create page: 0.078 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup