Announcement

Collapse
No announcement yet.

ASA Config, multiple static route statements?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA Config, multiple static route statements?

    We are have trouble with some email messages being bounced. I have checked everything I can think of high and low.

    One change that I made recently was to our ASA5510 to add a route for a ftp server. Our mx record is pointing to one public IP and our ftp record is pointing to a second public ip so I put in a second static (inside,outside) statement so now I have 2.

    Running config had this command.
    ------------------------------------------------
    static (Inside,Outside) 216.xxx.xxx.xx5 192.168.xx.x netmask 255.255.255.255
    ------------------------------------------------



    I added
    -------------------------------------------------
    static (Inside,Outside) 216.xxx.xxx.xx6 192.168.xx.xx netmask 255.255.255.255
    access-list allow extended permit tcp any host 216.xxx.xxx.xx6 eq ftp
    -------------------------------------------------

    Ftp works great, but did I potentially mess up our email traffic?

  • #2
    Re: ASA Config, multiple static route statements?

    Well assuming the 192 addresses are different, which we can't tell from this! (I don't think it would allow you to set them the same this way anyway)

    Then No.

    What are the bounce messages? If "some" are bouncing but some aren't then it isn't likely the ASA is at fault.
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: ASA Config, multiple static route statements?

      Yes, the internal 192. address' are different.

      We are getting most of our mail, there are some messages that are being bounced. The message I saw from the bounce said that it timed out.


      So have the multiple static's shouldn't cause me any trouble anywhere else either right?
      Last edited by stylus277; 11th November 2008, 18:38.

      Comment


      • #4
        Re: ASA Config, multiple static route statements?

        Moved to Cisco Security
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: ASA Config, multiple static route statements?

          You can have as many as you want. Your statics are, for want of a better explanation, IP to IP
          i.e.
          Code:
          static (inside,outside) 111.111.111.111 10.0.0.2
          where you can use the access list (and access group) statements to allow traffic in. This method means you have to allow all traffic on that external IP address inbound to the 10.0.0.2 host.

          Another method just maps ports.
          i.e.
          Code:
          static (inside,outside) tcp 111.111.111.111 80 10.0.0.2 80
          with the corresponding access-lists of course. (note this was for tcp 80)
          This method means you can then allow another port on the same public IP to another internal IP.
          i.e. you can add this as well
          Code:
          static (inside,outside) tcp 111.111.111.111 443 10.0.0.3 443
          but that is all nothing to do with your problem.

          We need the specific error messages to help with that though!
          cheers
          Andy

          Please read this before you post:


          Quis custodiet ipsos custodes?

          Comment


          • #6
            Re: ASA Config, multiple static route statements?

            Thanks for that information, I will leave my ASA alone and keep digging.

            I have been working with Trend Micro on this bounced message trouble because we use their hosted ERS solution (email reputation services), so our MX records point to their servers which filter then forward the good mail to us.

            In the config of the ERS I have the domain in question is specifically allowed so I would expect any email coming from them should fly right through the Trend servers.

            I am just trying to make sure that any changes that I have made in the recent past didn't cause any trouble.

            Comment


            • #7
              Re: ASA Config, multiple static route statements?

              Well it doesn't seem like the PIX so without the bounce messages it does make it kind hard!
              cheers
              Andy

              Please read this before you post:


              Quis custodiet ipsos custodes?

              Comment

              Working...
              X