05-25-2012 09:02 AM - edited 03-11-2019 04:11 PM
I have configured 2 ISP on ASA 5505 which is using IP SLA to track internet connection . Following is Static NAT configuration
static (inside,outside) tcp ISPA_Second_IP 3389 Jonas 3389 netmask 255.255.255.255
static (inside,outside) tcp ISPA_Third_IP 3389 192.168.10.7 3389 netmask 255.255.255.255
static (inside,outside) tcp ISPA_Third_IP 9983 192.168.10.20 3389 netmask 255.255.255.255
static (inside,outside) tcp ISPA_FIRST_IP smtp Exchange smtp netmask 255.255.255.255
static (inside,outside) tcp ISPA_FIRST_IP 3389 Exchange 3389 netmask 255.255.255.255
static (inside,outside) udp ISPA_Second_IP 1434 Jonas 1434 netmask 255.255.255.255
static (inside,outside) tcp ISPA_Second_IP ftp Jonas ftp netmask 255.255.255.255
static (inside,outside) tcp ISPA_Second_IP 1433 Exchange 1433 netmask 255.255.255.255
static (inside,outside) tcp ISPA_Second_IP 1434 Exchange 1434 netmask 255.255.255.255
static (inside,outside) tcp ISPA_Second_IP 50000 192.168.10.200 50000 netmask 255.255.255.255
static (inside,outside) tcp ISPA_Second_IP 5001 192.168.10.200 5001 netmask 255.255.255.255
static (inside,outside) tcp ISPA_Second_IP 8192 192.168.10.202 8192 netmask 255.255.255.255
static (inside,WAN_Failover) tcp ISPB_First_IP https Exchange https netmask 255.255.255.255
static (inside,WAN_Failover) tcp ISPB_Second_IP 3389 Jonas 3389 netmask 255.255.255.255
static (inside,WAN_Failover) tcp ISPB_third_IP 3389 192.168.10.7 3389 netmask 255.255.255.255
static (inside,WAN_Failover) tcp ISPB_third_IP 9983 192.168.10.20 3389 netmask 255.255.255.255
static (inside,WAN_Failover) tcp ISPB_First_IP smtp Exchange smtp netmask 255.255.255.255
static (inside,WAN_Failover) tcp ISPB_First_IP 3389 Exchange 3389 netmask 255.255.255.255
static (inside,WAN_Failover) udp ISPB_Second_IP 1434 Jonas 1434 netmask 255.255.255.255
static (inside,WAN_Failover) tcp ISPB_Second_IP ftp Jonas ftp netmask 255.255.255.255
static (inside,WAN_Failover) tcp ISPB_Second_IP 1433 Exchange 1433 netmask 255.255.255.255
static (inside,WAN_Failover) tcp ISPB_Second_IP 1434 Exchange 1434 netmask 255.255.255.255
static (inside,WAN_Failover) tcp ISPB_Second_IP 50000 192.168.10.200 50000 netmask 255.255.255.255
static (inside,WAN_Failover) tcp ISPB_Second_IP 5001 192.168.10.200 5001 netmask 255.255.255.255
static (inside,WAN_Failover) tcp ISPB_Second_IP 8192 192.168.10.202 8192 netmask 255.255.255.255
static (inside,outside) tcp ISPA_FIRST_IP www Exchange www netmask 255.255.255.255
static (inside,outside) tcp ISPA_FIRST_IP https Exchange https netmask 255.255.255.255
I have configured that ISPA first IP to the port 80 of Exchange as you can see but that doesnt seems to work fine , All NAT configs were duplicate which means if Exchange server is PAT to ISP_A at the same time it is for ISP_B , right now I have removed rule for ISP_B exchange just for troubleshooting purpose .
packet-tracer input outside tcp 4.2.2.2 80 ISPA_First_IP 80
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) tcp ISPA_First_IP www Exchange www netmask 255.255.255.255
match tcp inside host Exchange eq 80 outside any
static translation to ISPA_First_IP/80
translate_hits = 0, untranslate_hits = 5
Additional Information:
NAT divert to egress interface inside
Untranslate ISPA_First_IP/80 to Exchange/80 using netmask 255.255.255.255
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inbound in interface outside
access-list inbound extended permit tcp any host ISPA_First_IP eq www
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) tcp ISPA_First_IP www Exchange www netmask 255.255.255.255
match tcp inside host Exchange eq 80 outside any
static translation to ISPA_First_IP/80
translate_hits = 0, untranslate_hits = 5
Additional Information:
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp ISPA_First_IP smtp Exchange smtp netmask 255.255.255.255
match tcp inside host Exchange eq 25 outside any
static translation to ISPA_First_IP/25
translate_hits = 1, untranslate_hits = 0
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 8137, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
I cant access that server from outside but as you can see in packet tracer command in Phase 7 it shows port 80 but in phase 8 it shows SMTP which is quite strange .
Is that a hardware issue ?
05-25-2012 12:55 PM
Take captures on the ingress and egress interfaces, it would tell you which side is not responding.
https://supportforums.cisco.com/docs/DOC-17814
Thanks,
Varun Rao
Security Team,
Cisco TAC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide