[c-nsp] Cisco ASA 5510 DMZ Zone mail server not access Internet

Peter Rathlev peter at rathlev.dk
Mon Nov 26 11:08:26 EST 2012


On Thu, 2012-11-22 at 11:24 -0800, Md. Jahangir Hossain wrote:
> My Mail server ip address 192.168.100.10 which static nat with
> 119.x.x.85. But I can access internet from one of workstation which ip
> is 192.168.100.50 which static nat with 119.x.x.83. Need your
> suggestion for resolved this issue.

If 192.168.100.10 isn't a typo then the reason is probably that there's
no valid translation for the address. You have the following NAT
statements:

> static (dmz,outside) 119.x.x.83 192.168.100.100 netmask 255.255.255.255 
> static (dmz,outside) 119.x.x.85 192.168.100.50 netmask 255.255.255.255 
...
> nat (inside) 1 192.168.0.0 255.255.248.0
> global (outside) 1 interface

None of these cover 192.168.100.10 on the "dmz" interface. It could be a
typo of course; you mention 192.168.100.50 is 119.x.x.83, but according
to your configuration it's actually 119.x.x.85.

You can always take a look at what the ASA logs. You might see some
lines of "%ASA-3-305006" meaning that you don't have a valid
translation. Try enabling monitor logging at informational level,
monitor from the VTY and test again:

 logging monitor informational
 terminal monitor
 <test from server>

Beware that this dumps a lot of text in your terminal of you have even
just moderate activity.

(And you formatting leaves something to be desired! :-))

-- 
Peter





More information about the cisco-nsp mailing list