Solved: Re: Access List and NAT rule, will this work?

dkraut · ‎10-09-2012

I want to forward smtp to one backend server (Barracuda) and then forward http/https, imap4, 587 and 993 to a different backend server (exch-01), but I want all outbound communication from these two servers to always appear to come from the same public IP (Public-IP-109).

Will this work and is this the best way to configure on ASA5510 v8.4? Thanks!

object-group service Exchange_Inbound tcp

port-object eq 587

port-object eq 993

port-object eq www

port-object eq https

port-object eq imap4

access-list outside_access_in extended permit tcp any object Barracuda eq smtp

access-list outside_access_in extended permit tcp any object exch-01 object-group Exchange_Inbound

nat (outside,inside) source static any any destination static Public-IP-109 Barracuda

nat (outside,inside) source static any any destination static Public-IP-109 exch-01

access-group outside_access_in in interface outside

Jouni Forss · ‎10-09-2012

Hi,

I might be making this harder for myself than it needs to be

But if I understood you correctly the following setup would be ok for you

Reserve one public IP address from your /28 block for these 2 servers
Configure Port Forward configurations using that IP address to both of the local IP address
Configure a PAT configuration for the 2 servers also using the IP address we reserved for them so the connections initiated by the servers would also be using the same IP address as the configured for Port Forward.
Leave other NAT configurations as is

Taking into consideration the above you could basicly do the following. (copy/paste and some edits of the already posted configurations)

object network BARRACUDA-SMTP

host a.a.a.a

nat(inside,outside) static c.c.c.c service tcp 25 25

object network EXCHANGE-IMAP4

host b.b.b.b

nat(inside,outside) static c.c.c.c service tcp imap4 imap4

object network EXCHANGE-TCP587

host b.b.b.b

nat(inside,outside) static c.c.c.c service tcp 587 587

object network EXCHANGE-TCP993

host b.b.b.b

nat(inside,outside) static c.c.c.c service tcp 993 993

object network EXCHANGE-HTTP

host b.b.b.b

nat(inside,outside) static c.c.c.c service tcp www www

object network EXCHANGE-HTTPS

host b.b.b.b

nat(inside,outside) static c.c.c.c service tcp https https

object network MAIL-SERVERS-PAT

host c.c.c.c

object-group network MAIL-SERVERS-PAT-SOURCE

network-object host a.a.a.a

network-object host b.b.b.b

nat(inside,outside) 1 after-auto source dynamic MAIL-SERVERS-PAT-SOURCE MAIL-SERVERS-PAT

Where

a.a.a.a = Barracuda local IP address
b.b.b.b = Exchange local IP address
c.c.c.c = Public IP address reserved for the 2 servers
nat(inside,outside) 1 after-auto = The number 1 should keep the PAT rule as the top rule for PAT configurations (Provided the others use after-auto in the NAT configurations. Otherwise I guess some other PAT rule might override this.

- Jouni

View solution in original post

Jouni Forss · ‎10-09-2012

Hi,

Do you only have one public IP address available? In other words the public IP address assigned to ASAs outside interface? In this case both servers share the same public IP address when someone is connecting to them through the Port Forwarding configuration or when the servers themselves are connecting to outside network using the default PAT configuration.

Then you can simply do the following configuration for example

object network BARRACUDA-SMTP

host a.a.a.a

nat(inside,outside) static interface service tcp 25 25

object network EXCHANGE-IMAP4

host b.b.b.b

nat(inside,outside) static interface service tcp imap4 imap4

(dont remember if ASA knows the imap4 port number by name)

object network EXCHANGE-TCP587

host b.b.b.b

nat(inside,outside) static interface service tcp 587 587

object network EXCHANGE-TCP993

host b.b.b.b

nat(inside,outside) static interface service tcp 993 993

object network EXCHANGE-HTTP

host b.b.b.b

nat(inside,outside) static interface service tcp www www

object network EXCHANGE-HTTPS

host b.b.b.b

nat(inside,outside) static interface service tcp https https

Where

a.a.a.a = Barracuda local IP address
b.b.b.b = Exchange local IP address

Default PAT configuration at its simplest could be

nat (inside,outside) after-auto source dynamic any interface

Or you could define the source address with "object-group" instead of the keyword "any" used above.

Naturally you will need to open up the services in the "outside" interfaces inbound access-list using the local IP addresses in the access-list statements. You can enter them simply as "host a.a.a.a" or use the above object names that already contain the local IP address under them.

- Jouni

dkraut · ‎10-09-2012

Jouni, sorry, no, not a single IP. I have a range of IP's, a /28 so the outside interface will be different than the .109 address. I'll have other mappings for www, ftp, etc., but the two mentioned in my first post are the most critical and the only ones that need to always use the .109 address for egress. Thanks!

Jouni Forss · ‎10-09-2012

Hi,

So are you saying that you have only one public IP address to dedicate for the use of these 2 servers? And not 1 IP address for both?

If you have only one public IP address to share between these 2 servers and still use other IP address for the outgoing traffic, just replace the keyword "interface" in my above configurations (The Port Forward ones, not PAT) with the public IP address you want to use. The keyword "interface" in the above configurations refers to the "outside" interface IP address.

After the mentioned configuration your 2 servers would be reachable with the ports configured and with the single IP address assigned.

The default PAT configuration however would make sure that the connections that the servers initiate to public networks would be visible with different IP address than the one used for the Port Forward configurations. UNLESS the server initiates the connections with the some of the ports defined in the Port Forward configurations. Then it will be visible with the Port Forward IP address.

- Jouni

dkraut · ‎10-09-2012

To clarify, I need these two servers to always use the same outbound public IP due to reverse DNS lookup / mx records (they are mail related servers). To keep things simple, I'd like to use the same public IP as their ingress point too. All other servers can use the outside interface IP address of .100

Jouni Forss · ‎10-09-2012

Hi,

I might be making this harder for myself than it needs to be

But if I understood you correctly the following setup would be ok for you

Reserve one public IP address from your /28 block for these 2 servers
Configure Port Forward configurations using that IP address to both of the local IP address
Configure a PAT configuration for the 2 servers also using the IP address we reserved for them so the connections initiated by the servers would also be using the same IP address as the configured for Port Forward.
Leave other NAT configurations as is

Taking into consideration the above you could basicly do the following. (copy/paste and some edits of the already posted configurations)

object network BARRACUDA-SMTP

host a.a.a.a

nat(inside,outside) static c.c.c.c service tcp 25 25

object network EXCHANGE-IMAP4

host b.b.b.b

nat(inside,outside) static c.c.c.c service tcp imap4 imap4

object network EXCHANGE-TCP587

host b.b.b.b

nat(inside,outside) static c.c.c.c service tcp 587 587

object network EXCHANGE-TCP993

host b.b.b.b

nat(inside,outside) static c.c.c.c service tcp 993 993

object network EXCHANGE-HTTP

host b.b.b.b

nat(inside,outside) static c.c.c.c service tcp www www

object network EXCHANGE-HTTPS

host b.b.b.b

nat(inside,outside) static c.c.c.c service tcp https https

object network MAIL-SERVERS-PAT

host c.c.c.c

object-group network MAIL-SERVERS-PAT-SOURCE

network-object host a.a.a.a

network-object host b.b.b.b

nat(inside,outside) 1 after-auto source dynamic MAIL-SERVERS-PAT-SOURCE MAIL-SERVERS-PAT

Where

a.a.a.a = Barracuda local IP address
b.b.b.b = Exchange local IP address
c.c.c.c = Public IP address reserved for the 2 servers
nat(inside,outside) 1 after-auto = The number 1 should keep the PAT rule as the top rule for PAT configurations (Provided the others use after-auto in the NAT configurations. Otherwise I guess some other PAT rule might override this.

- Jouni

dkraut · ‎10-09-2012

Thanks for all the info Jouni. Is there any reason why my original config in post 1 would not work?

Jouni Forss · ‎10-09-2012

Hi,

The configuration I posted here is the one I've been using. I've never done the configuration the way you posted it, though I have seen similiar ones posted on these forums. I can't at the moment say for sure if it would work or not as I haven't done the NAT that way before.

I could possibly test it with one of my test firewalls to check it out. At a glance it would seem though that you are trying to give 2 LAN hosts the same public IP address but dont have any Port Forwarding configurations at the NAT statements themselves.

To me personally it just seems "easier to the eye" to configure in the way i described.

I will reply here if I get the time to test this out and tell you how it went.

- Jouni

david · ‎10-09-2012

Very perceptive Jouni.

That's exactly what left me scratching my head. I created that config using ASDM, but I was wondering if the NAT statements needed to be more granular, i.e., does each NAT need a specific port associated? I wish Cisco had a good ASA simulator like they have for the switches/routers (Packet Tracer). I may have to give GNS3 another try...