ASA 5505 Problem with Static NAT

TXLombardi — Mon, 11 Mar 2019 16:32:21 GMT

A client of mine has been assigned six usable IP addresses. The outside interface on the ASA 5505 has an address of 70.43.230.18 (third octet changed for security reasons on all outside IP addresses). That address is used as a dynamic NAT for outgoing traffic from the internal 192.168.2.0/24 network. There is a static NAT for the email server - 70.43.230.20. Incoming email uses that IP address successfully, but outgoing email does not translate to that address. Below is the pertinent part of the ASA 5505 configuration. I ran a packet trace and found that there are two translations taking place. First the correct translation for outgoing email traffic from the Microsoft Exchange server takes place - 192.168.2.10 eq 25 to 70.43.230.20 eq 25. Then the packet traverses the first static NAT in the list - example 192.168.2.10 eq 4125 70.43.230.18 eq 4125 for a second translation. The second translation IP address is what the receiving email server sees. The problem we are having is receiving servers cannot do a successful reverse lookup of mail. Mycompany.com, so they reject the mail.

If anyone has any ideas, I sure would be grateful.

ASA Version 7.2(2)

names

name 70.43.230.22 RDP description Remote Desktop Connection

name 70.43.230.20 Mail description NAT to internal email

interface Vlan1

nameif inside

ip address 192.168.2.1 255.255.255.0

interface Vlan2

nameif outside

ip address 70.43.230.18 255.255.255.248

access-list outside_in extended permit tcp any host Mail eq smtp

access-list outside_in extended permit tcp any interface outside eq www inactive

access-list outside_in extended permit tcp any interface outside eq ssh

access-list outside_in extended permit tcp any host Mail eq https

access-list outside_in extended permit tcp any host RDP eq 3389

access-list outside_in extended permit tcp any interface outside eq 4125

access-list outside_in extended permit tcp any interface outside eq 444

access-list inside_out extended permit tcp host 192.168.2.10 any eq smtp

access-list inside_out extended deny tcp any any eq smtp log

access-list inside_out extended permit ip any any

access-list inside_out extended permit tcp any any

access-list inside_out extended permit udp any any

access-list inside_out extended permit gre any any

access-list inside_out extended permit icmp any any

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 4125 192.168.2.10 4125 netmask 255.255.255.255

static (inside,outside) tcp RDP 3389 192.168.2.10 3389 netmask 255.255.255.255

static (inside,outside) tcp Mail smtp 192.168.2.10 smtp netmask 255.255.255.255

access-group inside_out in interface inside

access-group outside_in in interface outside

Re: ASA 5505 Problem with Static NAT

Kureli Sankar — Wed, 28 Oct 2009 03:41:17 GMT

Pls. add the following:

nat (inside) 2 192.168.2.10 255.255.255.255

global (outisde) 2 70.43.230.20

issue

clear local 192.168.2.10

You e-mail server will start sending e-mails out looking like 70.43.230.20

Re: ASA 5505 Problem with Static NAT

TXLombardi — Thu, 29 Oct 2009 20:36:30 GMT

Thanks for the help. Yes, that worked. I had actually done that before, but the outgoing NAT was still translating to the wrong address. What I didn't do was clear local.

Thanks again. I appreciate it!

Re: ASA 5505 Problem with Static NAT

Kureli Sankar — Fri, 30 Oct 2009 14:04:36 GMT

Glad to hear. You need to clear the translation in the table for it to take the newly changed one. Otherwise you would have to wait for the xlate to timeout (3 hours default) after a 1 hour conn timeout for it to start taking the new translation.

topic ASA 5505 Problem with Static NAT in Network Security

ASA 5505 Problem with Static NAT

Re: ASA 5505 Problem with Static NAT

Re: ASA 5505 Problem with Static NAT

Re: ASA 5505 Problem with Static NAT