topic PAT different WAN IP tp internal host in Network Security

PAT different WAN IP tp internal host

dennesmeeusen — Tue, 12 Mar 2019 00:37:28 GMT

Hi,

We just changed ISPs and now have a /29 routed subnet to be used on our ASA 5510 (8.4) instead of the one public ip we had before.

There are a couple of PAT translations that were previously setup on the "interface" address which i now want to assign to a different ip address further in my subnet.

So i just changed this:

object network BMMM

nat (inside,outside) static interface service tcp smtp smtp

to:

object network BMMM

nat (inside,outside) static other.external.ip.in.subnet service tcp smtp smtp

And assumed that this would work,

Sadly it does not, and this leaves me unable to contact that machine from the outside.

What am i doing wrong? And shoud i also change my access-list?

The relevant access-list rule is:

access-list outside_in extended permit tcp any object BMMM eq smtp

Thanks,

Dennes

PAT different WAN IP tp internal host

Peter Koltl — Sat, 15 Dec 2012 21:32:36 GMT

Try

show xlate

clear xlate

Re: PAT different WAN IP tp internal host

Jouni Forss — Sat, 15 Dec 2012 21:33:19 GMT

Hi,

Do you want to still do Port Forward configurations like with the single IP address before? Or do you want to translate some LAN server address to their own public IP address?

The format for a typical Static NAT is

object network STATIC

host 10.10.10.10

nat (inside,outside) static 1.2.3.4

After this you could open any service you want/need for the LAN host mentioned above

access-list OUTSIDE-IN permit tcp any object STATIC eq smtp

But if you want to configure the port forwards with the new public IP addresses too it should be no problem.

- Jouni

PAT different WAN IP tp internal host

dennesmeeusen — Sat, 15 Dec 2012 21:45:23 GMT

I did the show and clear xlates, but to no avail.

I want it to be setup something like this:

interface WAN ip: 1.1.1.1

WAN ip 1.1.1.2 tcp/25 --> 192.168.1.10

WAN ip 1.1.1.2 tcp/443 --> 192.168.1.11

This should work, right?

Re: PAT different WAN IP tp internal host

Jouni Forss — Sat, 15 Dec 2012 21:50:55 GMT

Hi,

Yeah should be no problem

For example

interface GigabitEthernet0/0

nameif outside

security-level 0

ip add 1.1.1.1 255.255.255.248

object network PORTFORWARD-25

host 192.168.1.10

nat (inside,outside) static 1.1.1.2 service tcp 25 25

object network PORTFORWARD-443

host 192.168.1.11

nat (inside,outside) static 1.1.1.2 service tcp 443 443

access-list OUTSIDE-IN permit tcp any object PORTFORWARD-25 eq smtp

access-list OUTSIDE-IN permit tcp any object PORTFORWARD-443 eq 443

Have you checked what happens to the connection through either the logs or ASDM logging/monitoring?

- Jouni

PAT different WAN IP tp internal host

dennesmeeusen — Sat, 15 Dec 2012 22:09:55 GMT

Well.. This is embarrassing..

Turned out that everything is just fine, but a reboot of the Exchange virtual machine to which the PAT's go, caused it's address to change to a DHCP assigned address. Reset it back to the static LAN ip and it's working like a charm!

🙂

Thanks guys!

Dennes