site Search:


Home Reviews Tools Forums FAQs Find Service ISP News Maps About  
 
    All Forums Hot Topics Gallery






how-to block ads

  
Forums >

Equipment Support > Hardware By Brand > Cisco > [Config] CISCO ASA 5505 8.0 NAT CONFIGURATION

Search Topic:
 Uniqs:
512		 Share Topic
Posting?
Post a:
Post a:
Links: ·Submit a new forum topic ·Forum FAQ ·Submit a FAQ ·Docs Guidelines and Advisories ·EOS/EOL thread
AuthorAll Replies


AHMED32

@topnet.tn

[Config] CISCO ASA 5505 8.0 NAT CONFIGURATION

This is my network diagramme.

»www.hostingpics.net/viewer.php?i···amme.jpg

I'm Using ASA 5505 8.0, with security + licence

I'm want that my mail server would be accessible from outside ..... done !

Now i'm strugling to have a ping from my internal server 192.168.40.240 located in the "servers" zone to my mail server 10.20.40.5 located in the "dmz"

i tried many syntax, visited all the internet no chance

can any one give me how to do this ?

thanks
to forum · permalink · 2012-01-05 13:43:43 ·

pearcy

join:2004-12-08
Chicago, IL

please post your config without passwords.

to forum · permalink · 2012-01-05 17:06:29 ·


AHMED32

@topnet.tn

ciscoasa# sh run
: Saved
:
ASA Version 8.0(3)
!
hostname ciscoasa
enable password AF88ic4YxVPKzQdV encrypted
names
name 192.168.40.0 my-lan
name 10.20.40.5 privateMailServer
name 51.4.4.51 publicMailServer
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.2 255.255.255.252
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 51.4.4.50 255.255.255.248
ospf cost 10
!
interface Vlan12
nameif dmz
security-level 50
ip address 10.20.40.254 255.255.255.0
!
interface Vlan22
nameif servers
security-level 100
ip address 192.168.40.254 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 12
!
interface Ethernet0/3
switchport access vlan 22
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone CEST 1
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_1
service-object tcp eq telnet
service-object icmp traceroute
object-group service DM_INLINE_SERVICE_4
service-object ip
service-object icmp
service-object icmp traceroute
object-group service DM_INLINE_SERVICE_5
service-object icmp
service-object tcp eq ssh
object-group service DM_INLINE_SERVICE_2
service-object tcp eq ftp
service-object udp eq tftp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq smtp
access-list outside_access_in extended permit tcp any host publicMailServer object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 10.10.10.0 255.255.255.252 any
access-list inside_access_in extended permit tcp 10.10.10.0 255.255.255.252 any eq ftp-data
access-list inside_access_in extended permit tcp 10.10.10.0 255.255.255.252 host smtp-planet eq smtp
access-list inside_access_in extended permit udp 10.10.10.0 255.255.255.252 any eq domain
access-list inside_access_in extended permit tcp 10.10.10.0 255.255.255.252 any eq www
access-list inside_access_in extended permit udp 10.10.10.0 255.255.255.252 any eq www
access-list inside_access_in extended permit tcp 10.10.10.0 255.255.255.252 any eq https
access-list inside_access_in extended permit tcp 10.10.10.0 255.255.255.252 host pop-planet eq pop3
access-list inside_access_in extended permit tcp 10.10.10.0 255.255.255.252 host pop-ati eq pop3
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_5 10.10.10.0 255.255.255.252 any
access-list inside_nat0_outbound extended permit object-group DM_INLINE_SERVICE_4 any vpn 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip any vpn 255.255.255.0
access-list servers_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu servers 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) publicMailServer privateMailServer netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group servers_access_in in interface servers
route outside 0.0.0.0 0.0.0.0 51.4.4.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.40.8.7 255.255.255.255 inside
http 10.10.10.0 255.255.255.0 inside
ciscoasa#

to forum · permalink · 2012-01-06 03:18:11 ·

ladino

join:2001-02-24
USA


You will need to create an ACL to allow return traffic from the DMZ back to the Server network, then apply the ACL to the dmz interface.

access-list DMZ_in extended permit icmp any 192.168.40.0 255.255.255.0 echo-reply
access-group DMZ-IN in interface dmz

You may have also need a nat translation for server to dmz networks.

to forum · permalink · 2012-01-08 21:47:31 ·
Forums > Equipment Support > Hardware By Brand > Cisco

Monday, 04-Jun 02:09:30 Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo
over 12.5 years online © 1999-2012 dslreports.com.
Most commented news this week
Hot Topics