topic Re: NAT/routing help on ASA 5520 in Network Security

NAT/routing help on ASA 5520

whiteford — Mon, 11 Mar 2019 15:18:47 GMT

Hello,

We have 2 email servers with 2 Nics. One has a public IP (e.g 10.10.10.10)NAT'ed to it's private IP for inbound email, so inbound email is fine. Now our ISP only accept smtp traffic from 10.10.10.10 and the issue I have is the server with the NAT can send emails to them, but the server that doesn't have the NAT servers it's smtp traffic outbound via the ASA's default gateway and gets refused.

Is it possible to route this server with no NAT to route outbound via the 10.10.10.10 so both servers go outbound via this and not the ASA's default gateway?

Thanks

Re: NAT/routing help on ASA 5520

andrew.prince — Wed, 15 Apr 2009 09:45:21 GMT

Why do you not write a policy based nat rule so both servers use the same external NAT IP?

Re: NAT/routing help on ASA 5520

whiteford — Wed, 15 Apr 2009 09:50:01 GMT

Hmm I've never tried that before, plus I only use the ASDM, but do have access tot he CLI and have basic experience with this.

How would I do this then?

Say 192.168.28.1 and 192.168.28.2 wanted to go outbound via 10.10.10.10 (public IP)?

Re: NAT/routing help on ASA 5520

andrew.prince — Wed, 15 Apr 2009 10:01:41 GMT

I do not use the ASDM, not even sure if it is capable to configure something like this in the ASDM, via cli

global (outside) 99 10.10.10.10

access-list email-servers extended permit tcp host 192.168.28.1 any eq smtp

access-list email-servers extended permit tcp host 192.168.28.2 any eq smtp

nat (inside) 99 access-list email-servers

Basically the above instructs the ASA to NAT servers 192.168.28.1 & .2 when they try an access anything out on the internet using smtp and NAT them to external IP 10.10.10.10

HTH>

Re: NAT/routing help on ASA 5520

whiteford — Wed, 15 Apr 2009 11:19:20 GMT

Thanks,

As one of the email servers has the public IP (10.10.10.10) assigned to it via NAT, can I just do the above method to just the server that needs it?

Also, are there any useful commands that will show me that it is using this new public IP?

Re: NAT/routing help on ASA 5520

andrew.prince — Wed, 15 Apr 2009 11:21:56 GMT

Sorry - I am no confused, if you are performing a specific static NAT - you WILL have to change it from a 1:1 to a 1:Many

You cannot just add an internal server, you will have to configure either a static 1:Many NAT based on an access-list or a policy based NAT.

HTH>

Re: NAT/routing help on ASA 5520

whiteford — Wed, 15 Apr 2009 11:55:15 GMT

OK, wil I have to first remove the current NAT?

Re: NAT/routing help on ASA 5520

andrew.prince — Wed, 15 Apr 2009 12:02:55 GMT

Yes you will have to remove the current NAT statements, and clear the NAT xlate table.

Re: NAT/routing help on ASA 5520

whiteford — Wed, 15 Apr 2009 13:42:30 GMT

Sorry to confuse:

Could I:

Get the 2 email servers send outbound as public IP 10.10.10.10 on smtp

But only nat 10.10.10.10 inbound to one of the email servers on smtp?

Re: NAT/routing help on ASA 5520

andrew.prince — Wed, 15 Apr 2009 14:06:03 GMT

No - the ASA will send return traffic back to either server.

So if you have an environment where only 1 email server is receving/delivering email - but both servers are sending email out to the internet, you need to look at your email environment.