01-31-2014 08:05 PM - edited 03-11-2019 08:38 PM
Hi,
I was hoping somebody can help me with CISCO ASA programing (version 8.2 (1)) I am trying to set up two things:
1. Inboud https access to load balancer that sends the traffic to two exchange servers for OWA, outlook anywhere etc...
2. Outbound SMTP access from two exchange servers that is nated to single external IP address (but different from external interface of the firewall)
This is what i did so far (IP addresses are fake obviously):
define server objects:
name 192.168.1.65 INT_LB_MAIL description virtual mail service on load balancer
name 207.207.207.100 EXT_MAIL
name 192.168.1.127 INT_EX1 description exchange server 1
name 192.168.1.128 INT_EX2 description exchange server 2
create access rules for inbound SMTP and HTTPS traffic to load balancer
access-list WAN_LAN extended permit tcp any host EXT_MAIL eq https
access-list WAN_LAN extended permit tcp any host EXT_MAIL eq smtp
Now its the nats that i am having problems with, not really sure how to do this so load balancer answers https requests and two exchange servers can send email out while natted to that public IP that i indicated:
static (LAN,WAN) EXT_MAIL INT_LB_MAIL netmask 255.255.255.255
I skipped the outbound rules because i don't have problems with them, my email is going out right now but two exchange servers are nating to the interface address which i am trying to avoid.
Any help would be greatly appreciated.
Thanks.
02-01-2014 06:39 AM
Marcin
So are you saying that this -
static (LAN,WAN) EXT_MAIL INT_LB_MAIL netmask 255.255.255.255
is not working because it looks fine to me. Or are you asking about how to do the outbound mail server access ?
If so -
access-list mail_out permit tcp INT_EX1 any eq smtp
access-list mail_out permit tcp INT_EX2 any eq smtp
nat (LAN)
global (WAN) (
The above is dynamic policy NAT ie. it only works from the inside to outside but it sounds like that is what you want.
Jon
02-01-2014 02:10 PM
Jon,
Thanks for your answer, let me address your questions first.
Right now everything is working with the exception that my two exchange servers when they send email out they are natting to the WAN interface IP address rather than 207.207.207.100 (EXT_MAIL) that i want. I will try your suggestion and add below statements with some tweaks, can you comment on them?
Given that i have this statement in my config: access-group LAN_WAN in interface LAN
I will add the two new access- list statements you suggested and then associate it to the LAN interface. I dont want other stuff nat to that EXT_MAIL IP address.
access-list mail_out permit tcp INT_EX1 any eq smtp
access-list mail_out permit tcp INT_EX2 any eq smtp
Now i think i need to associate that new access list mail_out with LAN interface by running this:
access-group mail_out in interface LAN
And then add these two below statemens:
nat (LAN) 2 access-list mail_out
global (WAN) 2 EXT_MAIL
Question?
Given that below two statements already exist in my config would you recommend i change anything else in the above statements?
global (WAN) 1 interface
nat (LAN) 1 CORPLAN 255.255.255.0
Thanks again for your help.
02-01-2014 04:53 PM
Marcin
The access-list mail_out is for the NAT, it should not be added to any acl applied to an interface. With dynamic policy NAT you have to use an acl but that is purely so you can specify what you want to NAT. So don't apply to any interface or add it to any acl on an interface.
You should be fine with the additon nat/global statements as they are using a different nat id.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide