topic from my past experience, i in Network Security

ASA 5515 change Outside IP address

Mohd Khairul Nizam — Tue, 12 Mar 2019 05:01:12 GMT

Hi guys,

I have a working ASA 5515 configuration that now working fine.

Outside interface is 110.74.132.50/29.

Now customer want to change the Outside interface to 110.74.132.52/29 because they said that some email can't get through because of fail SPF check.

I can change the interface but wouldn't it will effect the existing NAT??? mostly NAT that already point to 110.74.132.52???

Below is the configuration

=====================

: Saved
:
ASA Version 9.1(2)
!
hostname ASHFW01
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 110.74.132.50 255.255.255.248
!
interface GigabitEthernet0/1
no nameif
security-level 100
no ip address
!
interface GigabitEthernet0/1.1
vlan 12
nameif VLAN12
security-level 100
ip address 10.1.12.254 255.255.255.0
!
interface GigabitEthernet0/1.2
vlan 20
nameif VLAN20
security-level 100
ip address 10.1.20.254 255.255.255.0
!
interface GigabitEthernet0/1.3
vlan 30
nameif VLAN30
security-level 100
ip address 10.1.30.254 255.255.255.0
!
interface GigabitEthernet0/1.4
vlan 50
nameif VLAN50
security-level 100
ip address 10.1.50.254 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
clock timezone SGT 8
dns domain-lookup VLAN12
dns domain-lookup VLAN20
dns domain-lookup VLAN30
dns domain-lookup VLAN50
dns server-group DefaultDNS
name-server 8.8.8.8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network TerminalServer-RDP
host 10.1.12.13
object network Exch-SMTP
host 10.1.20.2
object network Exch-POP3
host 10.1.20.2
object network Exch-SMTPS
host 10.1.20.2
object network Exch-RDP
host 10.1.20.2
object network MgmtSvr-RDP
host 10.1.12.30
object network Exch-HTTPS
host 10.1.20.2
object network Exch-HTTP
host 10.1.20.2
object network Portal
host 10.1.12.14
description Portal
object service Portal80
service tcp source eq www destination eq www
description Portal80
object service SalesMobile9090
service tcp destination eq 9090
description SalesMobile9090
object network MgmtSvr
host 10.1.12.30
object network TerminalServer
host 10.1.12.13
object network ExchServer
object network ExchSvr
host 10.1.20.2
object service smtp2
service tcp destination eq 587
object network SalesMobile
host 10.1.12.14
description SalesMobile
object-group service rdp tcp
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object object MgmtSvr
network-object object TerminalServer
network-object object Exch-RDP
object-group service Exch-Services
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq pop3
service-object object smtp2
service-object tcp destination eq smtp
object-group network DM_INLINE_NETWORK_2
network-object object Exch-HTTP
network-object object Exch-HTTPS
network-object object Exch-POP3
network-object object Exch-SMTP
network-object object Exch-SMTPS
access-list outside_access_in extended permit icmp any4 any
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 object-group rdp
access-list outside_access_in extended permit tcp any object Portal eq www
access-list outside_access_in extended permit object SalesMobile9090 any object SalesMobile
access-list outside_access_in extended permit ip any object-group DM_INLINE_NETWORK_2
access-list outside_access_in extended deny ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu VLAN12 1500
mtu VLAN20 1500
mtu VLAN30 1500
mtu VLAN50 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any VLAN12
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network TerminalServer-RDP
nat (VLAN12,outside) static 110.74.132.51 service tcp 3389 3389
object network Exch-SMTP
nat (VLAN20,outside) static 110.74.132.52 service tcp smtp smtp
object network Exch-POP3
nat (VLAN20,outside) static 110.74.132.52 service tcp pop3 pop3
object network Exch-SMTPS
nat (VLAN20,outside) static 110.74.132.52 service tcp 587 587
object network Exch-RDP
nat (VLAN20,outside) static 110.74.132.52 service tcp 3389 3389
object network MgmtSvr-RDP
nat (VLAN12,outside) static 110.74.132.53 service tcp 3389 3389
object network Exch-HTTPS
nat (VLAN20,outside) static 110.74.132.52 service tcp https https
object network Exch-HTTP
nat (VLAN20,outside) static 110.74.132.52 service tcp www www
object network Portal
nat (VLAN12,outside) static 110.74.132.51 service tcp www www
object network SalesMobile
nat (VLAN12,outside) static 110.74.132.51 service tcp 9090 9090
!
nat (any,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 110.74.132.49 1

Hi,This is just an assumption

Vibhor Amrodia — Sat, 01 Nov 2014 12:58:26 GMT

Hi,

This is just an assumption on the basis of the issue that i have seen , the outbound traffic must be using the interface IP for the Interface PAT and that's why they want you to change the Interface IP itself so that both Inbound and outbound traffic uses .52

We can specifically NAT the EMAIL server internal IP to use this .52 address for outbound connections as well and i think that should resolve this issue without changing the Interface IP.

Something like this:-

object network obj-EMAILSRV

host <ip>

nat (inside,outside) dynamic .52

Thanks and Regards,

Vibhor Amrodia

Hi,From your posted

Aref Alsouqi — Sat, 01 Nov 2014 13:21:25 GMT

Hi,

From your posted configuration, I can see that your Exchange server is already using the public ip 110.74.132.52, means that email server is already seen to the internet (outside world) with that public ip, so if your intention to change the ASA outside ip address is to let the Exchange server exit with the ip address 110.74.132.52 then that would not solve any issue since as mentioned before that Exchange server is already mapped to the ip address 110.74.133.52. I would try to solve the SPF issue by adding the appropriate SPF record on the registrant provider, ASA would not be the cause of SPF checking failure instead it would be due to some misconfigured or missing SPF record at the registrant, but beside that, please note that if you go to assign the ASA outside interface with the same ip address used in the static natting (110.74.132.52) you would lose all those static nats mapped to that ip address, ASA would delete them all.

Regards,

Aref

Hi, I did try to change it to

Mohd Khairul Nizam — Sat, 01 Nov 2014 14:17:12 GMT

Hi,

I did try to change it to. 52, NAT is not working,. It says that it is overlap with the Outside interface.

i try telnet 110.74.132.52 <port> (25,587,110,80) from outside, all is not working after change to .52

from my past experience, i

Mohd Khairul Nizam — Sat, 01 Nov 2014 14:33:50 GMT

from my past experience, i did similar configuration of NAT to exchange server using other model of FW, the only different is the public IP is /30. The outside interface is the 10.x.x.b, and able to do NAT.

The only different with above config is the public ip is /29.

hi Vibhor,You're right, they

Mohd Khairul Nizam — Sat, 01 Nov 2014 14:38:35 GMT

hi Vibhor,

You're right, they insist for the traffic to go out using .52. They said it will resolve the SPF issues.

so your advise is i remove below

object network Exch-SMTP
nat (VLAN20,outside) static 110.74.132.52 service tcp smtp smtp
object network Exch-POP3
nat (VLAN20,outside) static 110.74.132.52 service tcp pop3 pop3
object network Exch-SMTPS
nat (VLAN20,outside) static 110.74.132.52 service tcp 587 587

and substitute with

object network obj-ExchageServer

host 10.1.20.2

NAT (inside,outside) dynamic 110.74.132.52

That would be normal, since

Aref Alsouqi — Sun, 02 Nov 2014 00:03:43 GMT

That would be normal, since you assigned that ip address on the outside interface, but you would still be able to do it by using the "interface" key instead of the ip address, example:

object network Exch-SMTP
nat (VLAN20,outside) static interface service tcp smtp smtp

Regards,

Aref

As mentioned in my previous

Aref Alsouqi — Sun, 02 Nov 2014 00:07:22 GMT

As mentioned in my previous post, you would still be able to do nat, it is possibile, but as I told you before, in case you are going to use the same ip address used on the outside interface, you need to use the keyword "interface" in the nat statement instead of the ip address itself.

Regards,

Aref

Hi,Apologies for the delay

Vibhor Amrodia — Sun, 02 Nov 2014 00:51:00 GMT

Hi,

Apologies for the delay.

Have you tried the Dynamic NAT with the .52 IP ?

If yes , send a packet tracer for the email server trying to go to the internet ?

packet input inside <Server Private IP> tcp <IP address> 3456 4.2.2.2 80 det

When you use a Static PAT , the device mapped to the port wil never use the same mapped IP for the Outbound traffic.

Let me know how it goes ?

Thanks and Regards,

Vibhor Amrodia

i did do the dynamic NAT as

Mohd Khairul Nizam — Sun, 02 Nov 2014 03:07:59 GMT

i did do the dynamic NAT as below

object network obj-Exch
nat (VLAN20,outside) dynamic 110.74.132.52

here is the packet tracer

=~=~=~=~=~=~=~=~=~=~=

packet input VLAN20 tcp 10.1.20.2 3456 4.2.2.2 80 det

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 2

Type: NAT

Subtype:

Result: ALLOW

Config:

object network obj-Exch

nat (VLAN20,outside) dynamic 110.74.132.52

Additional Information:

Dynamic translate 10.1.20.2/3456 to 110.74.132.52/3456

Forward Flow based lookup yields rule:

in id=0x7fff29380920, priority=6, domain=nat, deny=false

hits=143, user_data=0x7fff2a78b150, cs_id=0x0, flags=0x0, protocol=0

src ip/id=10.1.20.2, mask=255.255.255.255, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=VLAN20, output_ifc=outside

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7fff29b7e5b0, priority=0, domain=nat-per-session, deny=false

hits=34718, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=any, output_ifc=any

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7fff2a6907c0, priority=0, domain=inspect-ip-options, deny=true

hits=16570, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=VLAN20, output_ifc=any

Phase: 5

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (any,outside) after-auto source dynamic any interface

Additional Information:

Forward Flow based lookup yields rule:

out id=0x7fff29d52ee0, priority=6, domain=nat-reverse, deny=false

hits=10050, user_data=0x7fff2a7f2240, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=any, output_ifc=outside

Phase: 6

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0x7fff29b7e5b0, priority=0, domain=nat-per-session, deny=false

hits=34720, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=any, output_ifc=any

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0x7fff2a5dd570, priority=0, domain=inspect-ip-options, deny=true

hits=22591, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 25944, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: VLAN20

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

ASHFW01#

Hi,No , actually..You need to

Vibhor Amrodia — Tue, 04 Nov 2014 15:44:46 GMT

Hi,

No , actually..

You need to remember that the Static PAT Ex.:-

object network Exch-SMTP
nat (VLAN20,outside) static 110.74.132.52 service tcp smtp smtp

Will allow the Inbound connection on the SMTP port. But for the Traffic outbound , it the source port is smtp[unlikely as the shource port is randomly selected for every connection] , then only the Mapped Ip will be 110.74.132.52 , otherwise it will use the Interface Dynamic PAT.

Thus to get this to work , you need all the Static PAt statements as well as the Dynamic NAT for the outbound connection with it.

This should resolve the issue for you.

Also , once you apply this configuration , clear out the previous connections for the server as there might be some still using the interface ip.

clear local-host <IP address>

Thanks and Regards,

Vibhor Amrodia

Hi all, Thanks for all the

Mohd Khairul Nizam — Wed, 05 Nov 2014 02:11:36 GMT

Hi all,

Thanks for all the contribution.
Yes case resolved.