10-09-2012 07:45 AM - edited 03-11-2019 05:06 PM
I want to forward smtp to one backend server (Barracuda) and then forward http/https, imap4, 587 and 993 to a different backend server (exch-01), but I want all outbound communication from these two servers to always appear to come from the same public IP (Public-IP-109).
Will this work and is this the best way to configure on ASA5510 v8.4? Thanks!
object-group service Exchange_Inbound tcp
port-object eq 587
port-object eq 993
port-object eq www
port-object eq https
port-object eq imap4
access-list outside_access_in extended permit tcp any object Barracuda eq smtp
access-list outside_access_in extended permit tcp any object exch-01 object-group Exchange_Inbound
nat (outside,inside) source static any any destination static Public-IP-109 Barracuda
nat (outside,inside) source static any any destination static Public-IP-109 exch-01
access-group outside_access_in in interface outside
Solved! Go to Solution.
10-09-2012 10:14 AM
Hi,
I might be making this harder for myself than it needs to be
But if I understood you correctly the following setup would be ok for you
Taking into consideration the above you could basicly do the following. (copy/paste and some edits of the already posted configurations)
object network BARRACUDA-SMTP
host a.a.a.a
nat(inside,outside) static c.c.c.c service tcp 25 25
object network EXCHANGE-IMAP4
host b.b.b.b
nat(inside,outside) static c.c.c.c service tcp imap4 imap4
object network EXCHANGE-TCP587
host b.b.b.b
nat(inside,outside) static c.c.c.c service tcp 587 587
object network EXCHANGE-TCP993
host b.b.b.b
nat(inside,outside) static c.c.c.c service tcp 993 993
object network EXCHANGE-HTTP
host b.b.b.b
nat(inside,outside) static c.c.c.c service tcp www www
object network EXCHANGE-HTTPS
host b.b.b.b
nat(inside,outside) static c.c.c.c service tcp https https
object network MAIL-SERVERS-PAT
host c.c.c.c
object-group network MAIL-SERVERS-PAT-SOURCE
network-object host a.a.a.a
network-object host b.b.b.b
nat(inside,outside) 1 after-auto source dynamic MAIL-SERVERS-PAT-SOURCE MAIL-SERVERS-PAT
Where
- Jouni
10-09-2012 08:53 AM
Hi,
Do you only have one public IP address available? In other words the public IP address assigned to ASAs outside interface? In this case both servers share the same public IP address when someone is connecting to them through the Port Forwarding configuration or when the servers themselves are connecting to outside network using the default PAT configuration.
Then you can simply do the following configuration for example
object network BARRACUDA-SMTP
host a.a.a.a
nat(inside,outside) static interface service tcp 25 25
object network EXCHANGE-IMAP4
host b.b.b.b
nat(inside,outside) static interface service tcp imap4 imap4
object network EXCHANGE-TCP587
host b.b.b.b
nat(inside,outside) static interface service tcp 587 587
object network EXCHANGE-TCP993
host b.b.b.b
nat(inside,outside) static interface service tcp 993 993
object network EXCHANGE-HTTP
host b.b.b.b
nat(inside,outside) static interface service tcp www www
object network EXCHANGE-HTTPS
host b.b.b.b
nat(inside,outside) static interface service tcp https https
Where
Default PAT configuration at its simplest could be
nat (inside,outside) after-auto source dynamic any interface
Or you could define the source address with "object-group" instead of the keyword "any" used above.
Naturally you will need to open up the services in the "outside" interfaces inbound access-list using the local IP addresses in the access-list statements. You can enter them simply as "host a.a.a.a" or use the above object names that already contain the local IP address under them.
- Jouni
10-09-2012 09:12 AM
Jouni, sorry, no, not a single IP. I have a range of IP's, a /28 so the outside interface will be different than the .109 address. I'll have other mappings for www, ftp, etc., but the two mentioned in my first post are the most critical and the only ones that need to always use the .109 address for egress. Thanks!
10-09-2012 09:17 AM
Hi,
So are you saying that you have only one public IP address to dedicate for the use of these 2 servers? And not 1 IP address for both?
If you have only one public IP address to share between these 2 servers and still use other IP address for the outgoing traffic, just replace the keyword "interface" in my above configurations (The Port Forward ones, not PAT) with the public IP address you want to use. The keyword "interface" in the above configurations refers to the "outside" interface IP address.
After the mentioned configuration your 2 servers would be reachable with the ports configured and with the single IP address assigned.
The default PAT configuration however would make sure that the connections that the servers initiate to public networks would be visible with different IP address than the one used for the Port Forward configurations. UNLESS the server initiates the connections with the some of the ports defined in the Port Forward configurations. Then it will be visible with the Port Forward IP address.
- Jouni
10-09-2012 09:59 AM
To clarify, I need these two servers to always use the same outbound public IP due to reverse DNS lookup / mx records (they are mail related servers). To keep things simple, I'd like to use the same public IP as their ingress point too. All other servers can use the outside interface IP address of .100
10-09-2012 10:14 AM
Hi,
I might be making this harder for myself than it needs to be
But if I understood you correctly the following setup would be ok for you
Taking into consideration the above you could basicly do the following. (copy/paste and some edits of the already posted configurations)
object network BARRACUDA-SMTP
host a.a.a.a
nat(inside,outside) static c.c.c.c service tcp 25 25
object network EXCHANGE-IMAP4
host b.b.b.b
nat(inside,outside) static c.c.c.c service tcp imap4 imap4
object network EXCHANGE-TCP587
host b.b.b.b
nat(inside,outside) static c.c.c.c service tcp 587 587
object network EXCHANGE-TCP993
host b.b.b.b
nat(inside,outside) static c.c.c.c service tcp 993 993
object network EXCHANGE-HTTP
host b.b.b.b
nat(inside,outside) static c.c.c.c service tcp www www
object network EXCHANGE-HTTPS
host b.b.b.b
nat(inside,outside) static c.c.c.c service tcp https https
object network MAIL-SERVERS-PAT
host c.c.c.c
object-group network MAIL-SERVERS-PAT-SOURCE
network-object host a.a.a.a
network-object host b.b.b.b
nat(inside,outside) 1 after-auto source dynamic MAIL-SERVERS-PAT-SOURCE MAIL-SERVERS-PAT
Where
- Jouni
10-09-2012 11:55 AM
Thanks for all the info Jouni. Is there any reason why my original config in post 1 would not work?
10-09-2012 12:08 PM
Hi,
The configuration I posted here is the one I've been using. I've never done the configuration the way you posted it, though I have seen similiar ones posted on these forums. I can't at the moment say for sure if it would work or not as I haven't done the NAT that way before.
I could possibly test it with one of my test firewalls to check it out. At a glance it would seem though that you are trying to give 2 LAN hosts the same public IP address but dont have any Port Forwarding configurations at the NAT statements themselves.
To me personally it just seems "easier to the eye" to configure in the way i described.
I will reply here if I get the time to test this out and tell you how it went.
- Jouni
10-09-2012 01:24 PM
Very perceptive Jouni.
That's exactly what left me scratching my head. I created that config using ASDM, but I was wondering if the NAT statements needed to be more granular, i.e., does each NAT need a specific port associated? I wish Cisco had a good ASA simulator like they have for the switches/routers (Packet Tracer). I may have to give GNS3 another try...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide