topic But I can see the "sh nat": in Network Security

ASA 5520 NAT Problem

Vianyfel Cordaro — Sat, 22 Feb 2020 07:25:10 GMT

I have the following topology:

mail server --- swcore --(inside) << >> ASA (outside) --- ISP border router

should perform the following nat on the handle of a mail server 10.0.3.41 to 200.x.x.182

I have the following configuration on the ASA:

object-group service SERVICES
service-object tcp-udp eq 7001
service-object tcp eq ssh
service-object tcp-udp eq 25
service-object tcp-udp eq 26
service tcp-udp-object eq 993
service tcp-udp-object eq 109
service tcp-udp-object eq 110
service tcp-udp-object eq 143
service tcp-udp-object eq 220
service tcp-udp-object eq 465
service tcp-udp-object eq 468
service tcp-udp-object eq 587
service tcp-udp-object eq 995
service tcp-udp-object eq www
service-object tcp-udp eq domain
service-object tcp-udp eq 8080
service-object tcp-udp eq 8443
service-object tcp eq https
service tcp-udp-object eq 135
service-object tcp eq 135
service-object tcp-udp eq 7777
service-object tcp-udp eq 8090
service-object tcp eq ftp
service-object tcp eq ftp-data
service-object udp eq ntp
service-object tcp eq sqlnet
service-object tcp eq 3389

access-list outside extended permit object-group SERVICES any host 200.x.x.182
access-list inside extended permit object-group SERVICES host 10.0.3.41 any
access-group outside in interface outside
access-group inside in interface inside

static (inside,outside) tcp 200.x.x.182 smtp 10.0.3.41 smtp netmask 255.255.255.255

global (outside) 1 interface
nat (inside) 1 10.0.0.0 255.0.0.0

Sniffer was performed interface that goes to the core sw to int inside ASA, and effectively SMTP packets are received from 10.0.3.41 which is the mail server.

When you execute a "sh nat" does tells you match the .41 port 25 to 200.xx182

But when you check the header of the emails sent outside the domain appears the IP address is 200.xx178 with which it is performed the nat for internet company.

For some reason it is entering the nat

global (outside) 1 interface

And I do not understand because if I can see the sh nat does match the static nat.

border router does not perform any function nat actually execute sh ip nat trans and nothing display.

Thanks.

your static NAT only works

Karsten Iwen — Wed, 10 Sep 2014 15:51:11 GMT

The static NAT only works for incoming SMTP, not for outgoing. If you want that all outbound traffic from the mailserver is NATted to .182, you should change your static to the following:

static (inside,outside) 200.x.x.182 10.0.3.41 netmask 255.255.255.255

This NAT-statement will work inbound and outbound.

But I can see the "sh nat":

Vianyfel Cordaro — Wed, 10 Sep 2014 16:01:12 GMT

But I can see the "sh nat":

match tcp inside host 10.0.3.41 eq 25 outside any
static translation to 200.x.x.182/25
translate_hits = 0, untranslate_hits = 26617

But when you check the header of the emails sent outside t appears the IP address is 200.xx178 (nat of internet)

I just need that traffic is NATed smtp mail server because there are other IP addresses server using the same public IP address, so we performed the PAT.

> But I can see the "sh nat":

Karsten Iwen — Wed, 10 Sep 2014 16:15:41 GMT

> But I can see the "sh nat":

You see the translation that is used for incoming SMTP. It is only defined for traffic where TCP/25 is on your side. When you send mail, TCP/25 is used as the destination-port and your local port is a random port-number. That won't match your static.

If you can't translate the IP completely for the mail-server, you can configure an extra dynamic PAT for the server:

nat (inside) 2 10.0.3.41 255.255.255.255

global (outside) 2 200.x.x.182

The NAT-ID "2" has to be a free ID in your remaining NAT-config.