could you please guide me on the procedures that I need to make in order to allow the incoming messeges from our ISP to pass through the router, the ASA, to our SMTP Server.
our ISP will simply forward(relay) to us the smtp traffic so the incoming mails will not be stored on our ISP server they will just simply forwad any incoming messges to us to be received and store on our SMTP Server.
I want to know what is the way I shoudl think of to make this happen. what should I allow to pass from outside to inside to my SMTP server.
do I only have to create an ACL on the router and ASA to pass traffic coming on port 25 to our SMTP server?
Regarding your network design if the firewall is doing the NAT then you would have to create a NAT or a PAT translation ( depending on your requirements ) .
ie the translations are done by the firewall and not by the router .
i . Say your internal email servers ip is 192.168.10.10 .
ii. Say you have a public ip x.x.x.x
iii. Say you need to direct traffic on port z (pop or imap) . And assuming that you have an outside acl already configured as outside_acl .
According to this scenario in which the firewall is doing the nat translations you will need the following statements on th firewall .
1.static (inside,outside) tcp x.x.x.x z 192.168.10.10 z netnask 255.255.255.255
( this statement redirects all traffic that hits the public ip x.x.x.x on port a to 192.168.10.10(email server ) port z .
2.You need appropriate access list on the outside interface to permit traffic
access-list outside_acl permit tcp any host x.x.x.x eq z
These two statements are sufficient considering the firewall .
okay I just found an article on Cisco website talking about PIIX/ASA NAT and PAT, Document ID: 64758. I found that the mapped IP is nothing than one of the global pool range I made during NAT creation. I did a NAT pool range from 172.17.1.100-172.17.1.150 on my outside interface of the ASA, so a mapped IP address is one of the specified IPs range I made, like 172.17.1.110
so it sound like I have to map this ip and not use my ASA real IP interface the 172.17.1.1
I should try this soon. thanks all for your help. I will get back to you soon.
while I am working yesterday I did what u suggested to me before but it didn't worked on mine, I guess I probably did something wrong that is blocking what u suggested.
I tried to inspect the packet send by packet tracer of the ASDM software, I did a simulation and it always gives me a NAT problem that is dropping the packet.
one was saying: nat (dmz1) 0 0.0.0.0 0.0.0.0
and when I put a nat: nat (dmz1) 1 0.0.0.0 0.0.0.0
it always stops on it and says packet drop beacuse of this nat.
I forgot to get a copy of the configuration and post it back for inspection. I should do it today hope so and get back to you wit it.
I still think when I try to use ASDM without doing it manually it is missing things up. it throws a lot of deny rules and things specific to it don't know about them.
anyway, thanks for your help. I will try what you told me today and copy the config for inspection.
hii patiot, it works finally:-) thanks for your help it worked fine after I payed attention during the configuration. I was applying your suggestion in the wrong way and then I realized my mistake and the static with access-list you post worked like magic.
I first write erase everything on both the ASA and Router, I was trying to use the SDM and ASDM and they really missed things up with me, so I build them both from CLI carefully.
here is the final design with the working configuration, hope it might be helpful to others.
Dsl Modem- Perimeter Router- ASA 5500 Internal Firewall-Our Server
Real IP x.x.x.x-[:Fa0/0 Perimeter Router Fa0/1:]172.17.1.1 --------- 172.17.1.2[E0/0: ASA E0/2:] 192.168.1.1 ------ 192.168.1.3 [Server]
I was trying to get from outside my perimeter router passing through my internal ASA firewall to reach my deep inside Server of IP 192.168.1.3.
Perimeter Router Basic Configuration:
1. I have put Public-IP on FastEthernet 0/0
2. I have put Internal non routable IP on FastEthernet 0/1
Here I am allowing remote desktop connection, telnet, and SMTP to our mail server, from outside and mapping them internally to an internal IP of 172.17.1.3 once the Router receives one of these 3 request it will redirect them to the internal network to the ASA firewall then the ASA firewall will handle port forwarding to another internal ip address of the real Server
!
hostname perimeter-router
!
ip name-server Your-DNS-1
ip name-server Your-DNS-2
!
interface FastEthernet0/0
description $ETH-WAN$$FW_OUTSIDE$
ip address Your-Public-IP Netmask-for-the-IP
ip access-group 100 in
ip nat outside
!
interface FastEthernet0/1
description $ETH-LAN$$FW_INSIDE$
ip address 172.17.1.1 255.255.255.0
ip nat inside
!
ip route 0.0.0.0 0.0.0.0 Your-Public-Gateway permanent
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 172.17.1.3 23 Your-Public-IP 23 extendable
ip nat inside source static tcp 172.17.1.3 25 Your-Public-IP 25 extendable
ip nat inside source static tcp 172.17.1.3 3389 Your-Public-IP 3389 extendable
!
access-list 1 permit 172.17.1.0 0.0.0.255
access-list 100 permit tcp any eq 3389 host Your-Public-IP eq 3389
access-list 100 permit tcp any eq telnet host Your-Public-IP eq telnet
access-list 100 permit tcp any eq smtp host Your-Public-IP eq smtp
access-list 100 permit icmp any any
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit ip any any
!
When the perimeter Router Receives incoming packets on its outside interface it will redirect them to the internal network, the ASA firewall will pick up the packet destined to the IP of 172.17.1.3 and forward it to the internal server of 192.168.1.3 on its dmz interface.
---------------------------------------------------------------------------------------
hostname ciscoasa
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan2
nameif dmz
security-level 20
ip address 192.168.1.1 255.255.255.0
!
interface Vlan3
nameif outside
security-level 0
ip address 172.17.1.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 3
!
access-list 101 extended permit tcp any host 172.17.1.3 eq 3389
access-list 101 extended permit tcp any host 172.17.1.3 eq smtp
access-list 101 extended permit tcp any host 172.17.1.3 eq telnet
global (outside) 1 172.17.1.3 netmask 255.255.255.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz,outside) 172.17.1.3 192.168.1.3 netmask 255.255.255.255
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 172.17.1.1 1
-----------------------------------------------------------------------------
note: watch out the access-list rule definition on the cisco ASA firewall, here I defined a global pool of one ip address the 172.17.1.3 not a range of ip addresses. Since I have defined only one ip in the global outside address, that means my ASA firewall will do PAT. Watch this carefully because your access-list will not work properly and it could be a major problem. Let me give you an example of what wasted my time so you could benefit of it in the future:
What will not work if you do the following:
global (outside) 1 172.17.1.3 netmask 255.255.255.0
nat (dmz) 1 0.0.0.0 0.0.0.0
access-list 101 extended permit tcp any 3389 host 172.17.1.3 eq 3389
static (dmz,outside) 172.17.1.3 192.168.1.3 netmask 255.255.255.255
access-group 101 in interface outside
look to this simple access list, what is different is that I added the source port. But since you are already doing PAT by defining a single ip address in the global of 172.17.1.3, it will not let you pass from outside to inside. This is what was killing my time for the past 3 days. Only add the source port if you defined a global pool a range of address as if:
global (outside) 1 172.17.1.3-172.17.1.20 netmask 255.255.255.0
in such case you have to add the source port address for your ASA to function correctly.
thanks again patiot you were a great helper, hope things now will work fine otherwise I will get back to your soon, hehehe:-)
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Copyright of all documents and images belonging to this site by Firewall.cx. Information contained on this site is copyrighted material. It is illegal to copy or redistribute this information in any way without the written consent of Firewall.cx
Firewall.cx disclaims any responsibility for software and information obtained through this site or its links.
