Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
877
Views
0
Helpful
4
Replies

ASA5510 w/dual ISPs and static nat on backup if

mikespenard
Level 1
Level 1

‎12-13-2012 11:28 AM - edited ‎03-11-2019 05:37 PM

Goal: Looking to have an ASA5510 with two internet feeds. Moreover, I would like to have my static nat translations continue to work on the backup feed. I have outbound nat working, however I cannot get the inbound nat to work. I had this all figured out in 7.x but now with 8.x I cannot seem to get it working. If anyone has a 8.x example config or guidance it would be greatly appreciated.

interface Ethernet0/0.1

description EXTERNAL-COMCAST(vlan98)

vlan 98

nameif outside-comcast

security-level 0

ip address 1.1.1.10 255.255.255.0

!

interface Ethernet0/0.2

description EXTERNAL-ONECOMM(vlan100)

vlan 100

nameif outside-onecomm

security-level 0

ip address 2.2.2.10 255.255.255.0

!

interface Ethernet0/1.1

description INSIDE(vlan103)

vlan 103

nameif inside

security-level 100

ip address 192.168.32.1 255.255.255.0

!

...

object network Exchange-SMTP

host 192.168.32.12

...

access-list outside_in extended permit tcp any host 192.168.32.12 eq smtp

...

nat (inside,outside-comcast) source dynamic any interface

nat (inside,outside-onecomm) source dynamic any interface

!

...

object network Exchange-SMTP

nat (inside,outside-onecomm) static interface service tcp smtp smtp

...

access-group outside_in in interface outside-comcast

access-group outside_in in interface outside-onecomm

route outside-comcast 0.0.0.0 0.0.0.0 1.1.1.1 1 track 1

route outside-onecomm 0.0.0.0 0.0.0.0 2.2.2.1 254

sla monitor 123

type echo protocol ipIcmpEcho 73.168.168.1 interface outside-comcast

num-packets 3

frequency 10

sla monitor schedule 123 life forever start-time now

Labels:
0 Helpful
4 Replies 4

Peter Koltl
Level 7
Level 7

‎12-13-2012 12:59 PM

You omitted the important part of the config: defining object service smtp. It should be

src: 25 dst: - (0-65535) 

(reverse to what one might think)

You can check the result with 'show xlate'. It should contain '25-25'

I guess two such NATs for two ISPs can't be set up for the same server IP - they are in conflict.

0 Helpful

mikespenard
Level 1
Level 1
In response to Peter Koltl

‎12-13-2012 01:06 PM

Peter,

Well, the SMTP nat/port forwarding works fine if I setup nat in the typical 8.x way, ie., in the network object for inside.

object network inside

nat (inside,outside-comcast) dynamic interface

So the service object I omitted shouldnt be the issue.

What breaks it is removing the nat command in the inside object and using the two older style nat commands as I've seen recommended for doing dual ISPs. Which, I gather, is because you cannot specify two nat() commands in the inside network object:

nat (inside,outside-comcast) source dynamic any interface

nat (inside,outside-onecomm) source dynamic any interface

"I guess two such NATs for two ISPs can't be set up for the same server IP - they are in conflict."

I'm only looking to do a static NAT, for 192.168.32.12, on one public interface/ISP.

0 Helpful

Peter Koltl
Level 7
Level 7
In response to mikespenard

‎12-13-2012 01:25 PM

I'm sorry, the object service src definition applies only to twice NAT, not to object NAT.

Please include 'show run nat' and 'show xlate' output

8.3 or 8.2 ?

0 Helpful

mikespenard
Level 1
Level 1
In response to Peter Koltl

‎12-13-2012 01:59 PM

8.4

NTI-FW1# sh run nat

nat (inside,outside-onecomm) source dynamic any interface

nat (inside,outside-comcast) source dynamic any interface

!

object network Exchange-SMTP

nat (inside,outside-comcast) static interface service tcp smtp smtp

object network Exchange-HTTP

nat (inside,outside-comcast) static interface service tcp www www

object network Exchange-HTTPS

nat (inside,outside-comcast) static interface service tcp https https

object network Exchange-POP3

nat (inside,outside-comcast) static interface service tcp pop3 pop3

object network Exchange-IMAP

nat (inside,outside-comcast) static interface service tcp imap4 imap4

object network Exchange-POP3S

nat (inside,outside-comcast) static interface service tcp 995 995

object network Exchange-SMTP587

nat (inside,outside-comcast) static interface service tcp 587 587

object network Stimpy-SSH

nat (inside,outside-onecomm) static interface service tcp ssh ssh

object network Nagios-5666

nat (inside,outside-onecomm) static interface service tcp 5666 5666

object network Genie-COMMIT

nat (inside,outside-onecomm) static interface service tcp 4962 4962

NTI-FW1# show xlate

10 in use, 11 most used

Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice

       e - extended

TCP PAT from inside:192.168.32.4 22-22 to outside-onecomm:2.2.2.10 22-22

    flags sr idle 5:34:32 timeout 0:00:00

TCP PAT from inside:192.168.32.12 80-80 to outside-comcast:1.1.1.10 80-80

    flags sr idle 5:34:32 timeout 0:00:00

TCP PAT from inside:192.168.32.12 443-443 to outside-comcast:1.1.1.10 443-443

    flags sr idle 5:34:32 timeout 0:00:00

TCP PAT from inside:192.168.32.12 143-143 to outside-comcast:1.1.1.10 143-143

    flags sr idle 5:34:32 timeout 0:00:00

TCP PAT from inside:192.168.32.12 110-110 to outside-comcast:1.1.1.10 110-110

    flags sr idle 5:34:32 timeout 0:00:00

TCP PAT from inside:192.168.32.12 995-995 to outside-comcast:1.1.1.10 995-995

    flags sr idle 5:34:32 timeout 0:00:00

TCP PAT from inside:192.168.32.12 25-25 to outside-comcast:1.1.1.10 25-25

    flags sr idle 0:42:51 timeout 0:00:00

TCP PAT from inside:192.168.32.12 587-587 to outside-comcast:1.1.1.10 587-587

    flags sr idle 5:34:32 timeout 0:00:00

TCP PAT from inside:192.168.32.18 4962-4962 to outside-onecomm:2.2.2.10 4962-4962

    flags sr idle 5:34:32 timeout 0:00:00

TCP PAT from inside:192.168.32.248 5666-5666 to outside-onecomm:2.2.2.105666-5666

    flags sr idle 5:34:32 timeout 0:00:00

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card