topic Re: Need help with PAT and NAT w/single public IP in Network Security

Need help with PAT and NAT w/single public IP

jaystanley66 — Mon, 11 Mar 2019 17:13:04 GMT

Hello all, need some help.

Shouldn't the below config work for SMTP access to the internal server?

When I do a show xlate, I see the Global PAT xlate on for both ext and int IP addresses on port 25.

When I do a show access-list I never see any hits on the outside_access_in access list entry.

Cisco ASA 5505, version 7.2(2)

interface Vlan1
nameif inside
security-level 100
ip address 192.168.###.### 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 72.9.###.### 255.255.255.0

access-list outside_access_in extended permit tcp any host 72.9.###.### eq smtp

access-list inside_access_out extended permit ip any any

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp 72.9.###.### smtp 192.168.###.### smtp netmask 255.255.255.255

access-group inside_access_out in interface inside

access-group outside_access_in in interface outside

Re: Need help with PAT and NAT w/single public IP

jaystanley66 — Mon, 22 Feb 2010 02:53:19 GMT

Also, I forgot to add. When I look at the log, I see the attempt at the connection on port 25, from the public IP, but it always gets discarded.

Re: Need help with PAT and NAT w/single public IP

jaystanley66 — Tue, 23 Feb 2010 04:39:48 GMT

I've added my complete config. I still cannot get outside public hosts to access the internal IP address on port 25.

Any suggestions would be appreciated.

ASA# sho run
: Saved
:
ASA Version 7.2(2)
!
hostname ASA
domain-name default.domain.invalid
enable password ###################### encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.###.### 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 72.9.###.### 255.255.255.0
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.###.### 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
passwd ################ encrypted
banner login ALL UNAUTHORIZED ACCESS IS PROHIBITED BY LAW
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any host 72.9.###.### eq smtp
access-list inside_access_out extended permit ip any any
access-list asa-vpn_splitTunnelAcl standard permit 192.168.###.### 255.255.255.0
access-list dmz_access_out extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpn-pool 192.168.###.###-192.168.###.### mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 72.9.###.### smtp 192.168.###.### smtp netmask 255.255.255.255
access-group inside_access_out in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 72.9.###.### 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy asa-vpn internal
group-policy asa-vpn attributes
dns-server value ###.###.###.###

vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value asa-vpn_splitTunnelAcl
vpn-group-policy asa-vpn
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group asa-vpn type ipsec-ra
tunnel-group asa-vpn general-attributes
address-pool vpn-pool
default-group-policy asa-vpn
tunnel-group asa-vpn ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:af151ea5d8a16d08a9bce5c30579f440
: end
ASA# sho nat

NAT policies on Interface inside:
match tcp inside host 192.168.###.### eq 25 outside any
    static translation to 72.9.###.###/25
    translate_hits = 0, untranslate_hits = 870
match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 19, untranslate_hits = 0
match ip inside any outside any
    dynamic translation to pool 1 (72.9.117.191 [Interface PAT])
    translate_hits = 1427, untranslate_hits = 93
match ip inside any dmz any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
match ip inside any _internal_loopback any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0

Re: Need help with PAT and NAT w/single public IP

Jon Marshall — Tue, 23 Feb 2010 06:43:21 GMT

Can't see a lot wrong with your config. I did a quick test and telnetted to port 25 on your public IP and i was allowed straight in to your mail server. I logged straight back out but in future good idea not to post full public IP details. So you should see at least one hit in your acl now.

Could you give a few more details as to what you are trying to do ie. is it to allow other mail servers on the internet to connect to your mail server and vice-versa ?

Jon

Re: Need help with PAT and NAT w/single public IP

sanjeevreddyallala — Tue, 23 Feb 2010 14:34:49 GMT

If I understand correctly the following is your scenario:

incoming mails to ur internal mail server:

mail originated from internet to ur domain------>ur service provider mail-relay server-------->72.9.X.X int on ur ASA------->NAT/PAT------>ur internal Mail Server

1.does the problem is one way or both ways?

2. if problem in recieving mails need to troubleshoot each leg of above diagram from left to right.

Re: Need help with PAT and NAT w/single public IP

jaystanley66 — Tue, 23 Feb 2010 14:38:58 GMT

Yes, its open right now as the ASA is not plugged in, so port 25

is open right now.

Re: Need help with PAT and NAT w/single public IP

jaystanley66 — Tue, 23 Feb 2010 14:43:13 GMT

Yes we just want to be able to send mail from Internet to our internal mail server. I've done this several times before with ASA with no problems. I was curious about the code version 7.2(2) and only having a single Public IP address, which is the outside interface, and then using the Global (outside) 1 interface statement. Any limitations by only having the single public IP? We have the DNS MX record pointed to the public IP address. When I put the ASA back inline, no hits on access list and in the log, I see attempts on port 25 to the public IP, but all packets are "discarded".

Re: Need help with PAT and NAT w/single public IP

Kureli Sankar — Tue, 23 Feb 2010 19:13:01 GMT

If 72.9.###.### ip is the same as the vlan 2 interface IP address then you need to change the static

static (inside,outside) tcp 72.9.###.### smtp 192.168.###.### smtp netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.###.### smtp netmask 255.255.255.255

change it to the keyword interface instead.

-KS

Re: Need help with PAT and NAT w/single public IP

jaystanley66 — Thu, 25 Feb 2010 14:21:14 GMT

Changing the static NAT statement to "interface" instead of the actual IP address did it.

Thanks for the insight and help.

This forum is a great medium for exchanging information.

Jay

Re: Need help with PAT and NAT w/single public IP

Kureli Sankar — Thu, 25 Feb 2010 14:52:23 GMT

Glad to hear. Thanks for rating.

Specifying the keyword interface is clearly documented in the command ref.if you need to read on that.

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1512466

interface

Uses the interface IP address as the mapped address. Use this keyword if you want to use the interface address, but the address is dynamically assigned using DHCP.

Note You must use the interface keyword instead of specifying the actual IP address when you want to include the IP address of an interface in a static PAT entry.

-KS