ASA outbound policy NAT not working

darragh long — Mon, 11 Mar 2019 19:00:59 GMT

Hi Folks,

I'm having trouble with how traffic from my LAN is being nat'd by my ASA.

I've attached a basic network diagram -

inbound smtp traffic to 1.1.1.67 is translated to 10.0.10.2 (email server, on the inside interface)

inbound http and https traffic to 1.1.167 is translated to 10.10.10.2 (web serevr, on the DMZ interface)

These config I've used for this is:

static (inside,outside) tcp 1.1.1.67 smtp 10.0.10.2 smtp netmask 255.255.255.255

static (DMZ,outside) tcp 1.1.1.67 https 10.10.10.2 https netmask 255.255.255.255

static (DMZ,outside) tcp 1.1.1.67 www 10.10.10.2 www netmask 255.255.255.255

This has been tested and is working correctly.

The problem I have is that outbound traffic sourced from the email server (10.0.10.2) is not being nat'd to 1.1.1.67 ... it is being nat'd to 1.1.1.66 (the outside interface of the ASA)

when I do a packet-tracer (smtp traffic from 10.0.10.2 to external email server), I see two different phases for nat :

Phase: 5

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,outside) tcp 1.1.1.67 smtp 10.0.10.2 smtp netmask 255.255.255.255

match tcp inside host 10.0.0.2 eq 25 inside any

static translation to 1.1.1.67/25

translate_hits = 236, untranslate_hits = 13682

Additional Information:

Forward Flow based lookup yields rule:

in id=0xaccaf6d0, priority=5, domain=host, deny=false

hits=68278, user_data=0xaccaead0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=10.0.10.2, mask=255.255.255.255, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 7 access-list dyn-nat-25-inside-acl

match ip inside net10.0.10.0-24_VLAN10 255.255.255.0 oustide any

dynamic translation to pool 7 (1.1.1.66 [Interface PAT])

translate_hits = 25389, untranslate_hits = 168

Additional Information:

Dynamic translate 10.0.10.2/2525 to 1.1.1.66/10070 using netmask 255.255.255.255

Forward Flow based lookup yields rule:

in id=0xacc82fd0, priority=2, domain=nat, deny=false

hits=25389, user_data=0xacc82f10, cs_id=0x0, flags=0x0, protocol=0

src ip=net10.0.10.0-24_VLAN10, mask=255.255.255

Phase 5 appears to match the nat statement that I want (ie translates smtp traffic from 10.0.10.2 to 1.1.1.67), but phase 6 then seems to contradict this, matching instead a general nat rule which translates all outbound traffic to the asa's outside interface.

Can anyone explain why this is happening?

Re: ASA outbound policy NAT not working

Kureli Sankar — Wed, 27 Oct 2010 14:40:56 GMT

Outbound connections from this smtp server will never be sourced from port 25 but, will be sourced from any high port. What you have is static PAT which is only for incoming connections from the internet.

So, if you want this server to look like 1.1.1.67 even for outbound then you need to add these lines:

nat (inside) 100 10.0.10.2 255.255.255.255

global (outside) 100 1.1.1.67

Use some nat ID that is not used. I just came up with 100.

-KS

Re: ASA outbound policy NAT not working

darragh long — Tue, 02 Nov 2010 10:03:42 GMT

Many thanks KS - that worked perfectly!

topic Re: ASA outbound policy NAT not working in Network Security

ASA outbound policy NAT not working

Re: ASA outbound policy NAT not working

Re: ASA outbound policy NAT not working