Single nat for cluster of inside ips

Freddy Andersen · ‎06-07-2012

This is with a ASA5020 (8.1(5))

This is the nat I have today:

global (outside) 1 66.xx.xx.135 netmask 255.255.255.192

static (inside,outside) 66.xx.xx.153 10.21.31.67 netmask 255.255.255.255

This works great .67 is a smtp server that only SENDS email out.

What I want todo is to have a load-balancer on the inside that sends traffic to multiple smtp servers 2-3. I want 66.xx.xx.153 from outside to inside to go to port 25 on our loadbalancer and I also want all our internal smtp servers to leave our firewall natted behind 66.xx.xx.153.. So something like

static (inside,outside) 66.xx.xx.153 10.21.31.67 netmask 255.255.255.255

static (inside,outside) 66.xx.xx.153 10.21.31.68 netmask 255.255.255.255

static (inside,outside) 66.xx.xx.153 10.21.31.69 netmask 255.255.255.255

Is this possible?

Reason is that all emails should be revearsed dns to 66.xx.xx.153

Jennifer Halim · ‎06-07-2012

No it is not possible, you can only static NAT 1 public IP to 1 private/real IP.

csc.nes-wa · ‎06-08-2012

Jennifer is correct as far as statically natting your 3 email servers to the single external interface - it's not possible.

However - let me get this straight.

* You have a single load balancer server that you wish to RECEIVE email on, which will then deliver that email to 3 internal servers?

Just port map port 25 on 63.xx.xx.153 to port 25 on 10.21.31.16 (your load balancer) Something like this:

static (inside,outside) tcp 63.xx.xx.153 smtp 10.21.31.61 smtp netmask 255.255.255.255

* You have 3 internal servers that you want to SEND email from directly to external servers and have them reverse DNS to your external IP 63.xx.xx.153?

Allow your 3 servers to connect to anything on port 25 through your global nat policy, something like this:

access-list acl_out extended permit tcp EMAIL_SERVER_GROUP any eq smtp

I assume you already have an internal to external internet connection (global NAT policy), so this will mean external receiving email servers will see your internal servers connecting to them from 63.xx.xx.153.

What wouldnt be possible is having your 3 mail servers sending AND receiving on your single external IP address, but the above scenario is fine because you are only receiving email to one server (your load balancer). The 3 sending servers only need to be allowed to send out the firewall.

Your better off posting your current config and then Jennifer or one of the other experts will be able to tell you the exact commands you'd need to achieve this..

NOTE: You should really also consider having your load balancer sitting in a DMZ, as that is essentially open to the world, so in a production environment that should be sitting in a completely separate network, if you have extra physical ports on your firewall then plug your load balancer into that

csc.nes-wa · ‎06-08-2012

PS - It's always better to port map a single port/ports when you need them - don't do a static 1to1 nat for your servers or hosts as they are effectively completely open to the internet and it is almost pointless having a firewall in place if you do that.

nkarthikeyan · ‎06-08-2012

I guess we can achieve this concept through PAT overloading and loadbalancing. i.e. Translating Rotary Addresses concept to achieve this. Am not sure this would help you. but you can try it around.