cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12656
Views
0
Helpful
4
Replies

ASA 5510 Multiple Public IP - Static NAT Issue - Dynamic PAT - SMTP

jberres0120
Level 1
Level 1

Running into a little bit of a roadblock and hoping someone can help me figure out what the issue is.  My guess right now is that it has something to do with dynamic PAT.

Essentially, I have a block of 5 static public IP's.  I have 1 assigned to the interface and am using another for email/webmail.  I have no problems accessing the internet, receving emails, etc...  The issue is that the static NAT public IP for email is using the outside IP instead of the one assigned through the static NAT.  I would really appreciate if anyone could help shed some light as to why this is happening for me.  I always thought a static nat should take precidence in the order of things.

Recap:

IP 1 -- 10.10.10.78 is assigned to outside interface.  Dynamic PAT for all network objects to use this address when going out.

IP 2 -- 10.10.10.74 is assgned through static nat to email server.  Email server should respond to and send out using this IP address.

Email server gets traffic from 10.10.10.74 like it is supposed to, but when sending out shows as 10.10.10.78 instead of 10.10.10.74.

Thanks in advance for anyone that reads this and can lend a hand.

- Justin

Here is my running config (some items like IP's, domain names, etc... modified to hide actual values; ignore VPN stuff -- still work in progress):

ASA Version 8.4(3)

!

hostname MYHOSTNAME

domain-name MYDOMAIN.COM

enable password msTsgJ6BvY68//T7 encrypted

passwd msTsgJ6BvY68//T7 encrypted

names

!

interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address 10.10.10.78 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.2.2 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa843-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

domain-name MYDOMAIN.COM

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network inside-network

subnet 192.168.2.0 255.255.255.0

object network Email

host 192.168.2.7

object network Webmail

host 192.168.2.16

object network WebmailSecure

host 192.168.2.16

access-list inside_access_out extended permit ip any any

access-list inside_access_out extended permit icmp any any

access-list VPN_Split_Tunnel_List remark The corporate network behind the ASA (inside)

access-list VPN_Split_Tunnel_List standard permit 192.168.2.0 255.255.255.0

access-list outside_access_in extended deny icmp any any

access-list outside_access_in extended permit tcp any object Email eq smtp

access-list outside_access_in extended permit tcp any object Webmail eq www

access-list outside_access_in extended permit tcp any object WebmailSecure eq https

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

asdm history enable

arp timeout 14400

nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup

!

object network obj_any

nat (inside,outside) dynamic interface

object network Email

nat (inside,outside) static 10.10.10.74 service tcp smtp smtp

object network Webmail

nat (inside,outside) static 10.10.10.74 service tcp www www

object network WebmailSecure

nat (inside,outside) static 10.10.10.74 service tcp https https

access-group outside_access_in in interface outside

access-group inside_access_out out interface inside

route outside 0.0.0.0 0.0.0.0 10.10.10.73 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server MYDOMAIN protocol kerberos

aaa-server MYDOMAIN (inside) host 192.168.2.8

kerberos-realm MYDOMAIN.COM

aaa-server MYDOMAIN (inside) host 192.168.2.9

kerberos-realm MYDOMAIN.COM

aaa-server MY-LDAP protocol ldap

aaa-server MY-LDAP (inside) host 192.168.2.8

ldap-base-dn DC=MYDOMAIN,DC=com

ldap-group-base-dn DC=MYDOMAIN,DC=com

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=SOMEUSER,CN=Users,DC=MYDOMAIN,DC=com

server-type microsoft

aaa-server MY-LDAP (inside) host 192.168.2.9

ldap-base-dn DC=MYDOMAIN,DC=com

ldap-group-base-dn DC=MYDOMAIN,DC=com

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=SOMEUSER,CN=Users,DC=MYDOMAIN,DC=com

server-type microsoft

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.2.0 255.255.255.0 inside

http redirect outside 80

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

email administrator@MYDOMAIN.com

subject-name CN=MYHOSTNAME

ip-address 10.10.10.78

proxy-ldc-issuer

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate e633854f

    30820298 30820201 a0030201 020204e6 33854f30 0d06092a 864886f7 0d010105

    0500305e 31143012 06035504 03130b47 46472d53 55532d41 53413146 301a0609

    2a864886 f70d0109 08130d39 382e3130 302e3232 322e3738 30280609 2a864886

    f70d0109 02161b47 46472d53 55532d41 53412e47 46472d50 4541424f 44592e43

    4f4d301e 170d3132 30343131 30373431 33355a17 0d323230 34303930 37343133

    355a305e 31143012 06035504 03130b47 46472d53 55532d41 53413146 301a0609

    2a864886 f70d0109 08130d39 382e3130 302e3232 322e3738 30280609 2a864886

    f70d0109 02161b47 46472d53 55532d41 53412e47 46472d50 4541424f 44592e43

    4f4d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b4

    aa6e27de fbf8492b 74ba91aa e0fd8361 e0e85a31 f95c380d 6e5f43ac a695a810

    f50e893b 82b91870 a32f7e38 8f392607 7a69c814 36a71a9c 2dccca07 24fe7f88

    0f3451ed c64e85fc 8359c87e 62ebf166 0a570ac5 f9f1c64b 262eca66 ea05ab65

    78da1ac2 9867a115 b14a6ba1 cd82d04e 00fc6557 856f7c04 ab1b08a0 b9de8b02

    03010001 a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f

    0101ff04 04030201 86301f06 03551d23 04183016 801430cf 97ef92bb 678e3ba3

    0002069c 8130550a 2664301d 0603551d 0e041604 1430cf97 ef92bb67 8e3ba300

    02069c81 30550a26 64300d06 092a8648 86f70d01 01050500 03818100 64c403bd

    d75717ab 24383e77 63e10ba7 4fdef625 73c5a952 19ceecbd 75bd23ca 86dc0298

    e6693a8a 2c7fb85f 096497a7 8d784ada a433ee0d d88e9219 f0615f3c 7814bf1c

    5b4fe847 7d8894eb 18fe2da7 05f15ae9 bc2c17ec 3a7831ee f95d6ced 4799fba2

    781c8228 48224843 dc07ebb5 d20abf2a b68cfa62 ac71a41b 1196a018

  quit

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside client-services port 443

crypto ikev2 enable inside client-services port 443

crypto ikev2 remote-access trustpoint ASDM_TrustPoint0

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.2.0 255.255.255.0 inside

telnet 192.168.1.0 255.255.255.0 management

telnet timeout 20

ssh timeout 5

console timeout 0

management-access inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 192.168.2.8 source inside prefer

ssl trust-point ASDM_TrustPoint0 inside

ssl trust-point ASDM_TrustPoint0 outside

webvpn

enable outside

enable inside

anyconnect-essentials

anyconnect image disk0:/anyconnect-win-3.0.5080-k9.pkg 1

anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml

anyconnect enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol ikev1 l2tp-ipsec

group-policy GroupPolicy_VPN internal

group-policy GroupPolicy_VPN attributes

wins-server value 192.168.2.8 192.168.2.9

dns-server value 192.168.2.8 192.168.2.9

vpn-filter value VPN_Split_Tunnel_List

vpn-tunnel-protocol ikev2 ssl-client

group-lock value VPN

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN_Split_Tunnel_List

default-domain value MYDOMAIN.COM

webvpn

  anyconnect profiles value VPN_client_profile type user

group-policy GroupPolicy-VPN-LAPTOP internal

group-policy GroupPolicy-VPN-LAPTOP attributes

wins-server value 192.168.2.8 192.168.2.9

dns-server value 192.168.2.8 192.168.2.9

vpn-filter value VPN_Split_Tunnel_List

vpn-tunnel-protocol ikev2

group-lock value VPN-LAPTOP

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN_Split_Tunnel_List

default-domain value MYDOMAIN.COM

webvpn

  anyconnect profiles value VPN_client_profile type user

tunnel-group VPN type remote-access

tunnel-group VPN general-attributes

authentication-server-group MYDOMAIN

default-group-policy GroupPolicy_VPN

dhcp-server 192.168.2.8

dhcp-server 192.168.2.9

dhcp-server 192.168.2.10

tunnel-group VPN webvpn-attributes

group-alias VPN enable

tunnel-group VPN-LAPTOP type remote-access

tunnel-group VPN-LAPTOP general-attributes

authentication-server-group MY-LDAP

default-group-policy GroupPolicy-VPN-LAPTOP

dhcp-server 192.168.2.8

dhcp-server 192.168.2.9

dhcp-server 192.168.2.10

tunnel-group VPN-LAPTOP webvpn-attributes

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

class class-default

  user-statistics accounting

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

hpm topN enable

Cryptochecksum:951faceacf912d432fc228ecfcdffd3f

1 Accepted Solution

Accepted Solutions

etamminga
Spotlight
Spotlight

Create a NAT rule for the email server to present itself on the outside using the ip address you want it to have, don't mention that you need the NAT for smtp only. Filter the services you want the outside to have access to on the outside interface using ordinary firewall rules.

Inside source=private ip address email server

Translated source=public ip address email server

Regards,

Erik

Sent from Cisco Technical Support iPad App

View solution in original post

4 Replies 4

Hi ,

As per you config :

object network obj_any

nat (inside,outside) dynamic interface

object network Email

nat (inside,outside) static 10.10.10.74 service tcp smtp smtp

object network Webmail

nat (inside,outside) static 10.10.10.74 service tcp www www

object network WebmailSecure

nat (inside,outside) static 10.10.10.74 service tcp https https

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network inside-network

subnet 192.168.2.0 255.255.255.0

object network Email

host 192.168.2.7

object network Webmail

host 192.168.2.16

object network WebmailSecure

host 192.168.2.16

The flows from email server ( 192.168.2.7 ) , will be NATed to 10.10.10.74, only if the source port is TCP/25. Any other souce port will use the interface IP for NAT.

  Are you saying that this is not happening ?

Dan

Hi Dan,

Correct.  I found a small mistake I made in that I am not yet routing out through my front end server (incoming goes to one server, outgoing goes out through another).  Stupid mistake on my part -- however --  I added an overlapping static nat for the SMTP service and still running into the same issue where it's using the outside IP instead of the one stated in NAT.  It warns me about the overlap, but I should still be able to use it for my purposes I believe.

Basically the following lines get added to the config:

object Email-Outgoing

nat (inside,outside) static 10.10.10.74 service tcp smtp smtp

object Email-Outgoing

host 192.168.2.16

Tested, and same results.  Still not using the nat'd IP.

Am I missing something or doing something wrong?

Thanks,

Justin

etamminga
Spotlight
Spotlight

Create a NAT rule for the email server to present itself on the outside using the ip address you want it to have, don't mention that you need the NAT for smtp only. Filter the services you want the outside to have access to on the outside interface using ordinary firewall rules.

Inside source=private ip address email server

Translated source=public ip address email server

Regards,

Erik

Sent from Cisco Technical Support iPad App

Thanks Erik.

Must be using something other than 25 for some reason -- as this is just an outgoing only server I guess I don't care. 

I simply changed the service under my NAT rule for Email-Outgoing to any instead of specifying SMTP, and sure enough -- the right IP is now being used.

Thanks for putting me on the right path.

Thank you too Dan for helping me find another "oops" in the process.

Justin

Review Cisco Networking for a $25 gift card