cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3035
Views
0
Helpful
11
Replies

ASA 5515 change Outside IP address

Hi guys,

I have a working ASA 5515 configuration that now working fine.

Outside interface is 110.74.132.50/29.

Now customer want to change the Outside interface to 110.74.132.52/29 because they said that some email can't get through because of fail SPF check.

I can change the interface but wouldn't it will effect the existing NAT??? mostly NAT that already point to 110.74.132.52???

Below is the configuration

=====================

: Saved
:
ASA Version 9.1(2) 
!
hostname ASHFW01
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 110.74.132.50 255.255.255.248 
!
interface GigabitEthernet0/1
 no nameif
 security-level 100
 no ip address
!
interface GigabitEthernet0/1.1
 vlan 12
 nameif VLAN12
 security-level 100
 ip address 10.1.12.254 255.255.255.0 
!
interface GigabitEthernet0/1.2
 vlan 20
 nameif VLAN20
 security-level 100
 ip address 10.1.20.254 255.255.255.0 
!
interface GigabitEthernet0/1.3
 vlan 30
 nameif VLAN30
 security-level 100
 ip address 10.1.30.254 255.255.255.0 
!
interface GigabitEthernet0/1.4
 vlan 50
 nameif VLAN50
 security-level 100
 ip address 10.1.50.254 255.255.255.0 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
ftp mode passive
clock timezone SGT 8
dns domain-lookup VLAN12
dns domain-lookup VLAN20
dns domain-lookup VLAN30
dns domain-lookup VLAN50
dns server-group DefaultDNS
 name-server 8.8.8.8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network TerminalServer-RDP
 host 10.1.12.13
object network Exch-SMTP
 host 10.1.20.2
object network Exch-POP3
 host 10.1.20.2
object network Exch-SMTPS
 host 10.1.20.2
object network Exch-RDP
 host 10.1.20.2
object network MgmtSvr-RDP
 host 10.1.12.30
object network Exch-HTTPS
 host 10.1.20.2
object network Exch-HTTP
 host 10.1.20.2
object network Portal
 host 10.1.12.14
 description Portal
object service Portal80
 service tcp source eq www destination eq www 
 description Portal80
object service SalesMobile9090
 service tcp destination eq 9090 
 description SalesMobile9090
object network MgmtSvr
 host 10.1.12.30
object network TerminalServer
 host 10.1.12.13
object network ExchServer
object network ExchSvr
 host 10.1.20.2
object service smtp2
 service tcp destination eq 587 
object network SalesMobile
 host 10.1.12.14
 description SalesMobile
object-group service rdp tcp
 port-object eq 3389
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group network DM_INLINE_NETWORK_1
 network-object object MgmtSvr
 network-object object TerminalServer
 network-object object Exch-RDP
object-group service Exch-Services
 service-object tcp destination eq www 
 service-object tcp destination eq https 
 service-object tcp destination eq pop3 
 service-object object smtp2 
 service-object tcp destination eq smtp 
object-group network DM_INLINE_NETWORK_2
 network-object object Exch-HTTP
 network-object object Exch-HTTPS
 network-object object Exch-POP3
 network-object object Exch-SMTP
 network-object object Exch-SMTPS
access-list outside_access_in extended permit icmp any4 any 
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 object-group rdp 
access-list outside_access_in extended permit tcp any object Portal eq www 
access-list outside_access_in extended permit object SalesMobile9090 any object SalesMobile 
access-list outside_access_in extended permit ip any object-group DM_INLINE_NETWORK_2 
access-list outside_access_in extended deny ip any any 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu VLAN12 1500
mtu VLAN20 1500
mtu VLAN30 1500
mtu VLAN50 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any VLAN12
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network TerminalServer-RDP
 nat (VLAN12,outside) static 110.74.132.51 service tcp 3389 3389 
object network Exch-SMTP
 nat (VLAN20,outside) static 110.74.132.52 service tcp smtp smtp 
object network Exch-POP3
 nat (VLAN20,outside) static 110.74.132.52 service tcp pop3 pop3 
object network Exch-SMTPS
 nat (VLAN20,outside) static 110.74.132.52 service tcp 587 587 
object network Exch-RDP
 nat (VLAN20,outside) static 110.74.132.52 service tcp 3389 3389 
object network MgmtSvr-RDP
 nat (VLAN12,outside) static 110.74.132.53 service tcp 3389 3389 
object network Exch-HTTPS
 nat (VLAN20,outside) static 110.74.132.52 service tcp https https 
object network Exch-HTTP
 nat (VLAN20,outside) static 110.74.132.52 service tcp www www 
object network Portal
 nat (VLAN12,outside) static 110.74.132.51 service tcp www www 
object network SalesMobile
 nat (VLAN12,outside) static 110.74.132.51 service tcp 9090 9090 
!
nat (any,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 110.74.132.49 1

 

1 Accepted Solution

Accepted Solutions

Hi,

No , actually..

You need to remember that the Static PAT Ex.:-

object network Exch-SMTP
 nat (VLAN20,outside) static 110.74.132.52 service tcp smtp smtp 

Will allow the Inbound connection on the SMTP port. But for the Traffic outbound , it the source port is smtp[unlikely as the shource port is randomly selected for every connection] , then only the Mapped Ip will be 110.74.132.52 , otherwise it will use the Interface Dynamic PAT.

Thus to get this to work , you need all the Static PAt statements as well as the Dynamic NAT for the outbound connection with it.

This should resolve the issue for you.

Also , once you apply this configuration , clear out the previous connections for the server as there might be some still using the interface ip.

clear local-host <IP address>

Thanks and Regards,

Vibhor Amrodia

View solution in original post

11 Replies 11

Vibhor Amrodia
Cisco Employee
Cisco Employee

Hi,

This is just an assumption on the basis of the issue that i have seen , the outbound traffic must be using the interface IP for the Interface PAT and that's why they want you to change the Interface IP itself so that both Inbound and outbound traffic uses .52

We can specifically NAT the EMAIL server internal IP to use this .52 address for outbound connections as well and i think that should resolve this issue without changing the Interface IP.

Something like this:-

object network obj-EMAILSRV

host <ip>

nat (inside,outside) dynamic .52

Thanks and Regards,

Vibhor Amrodia

hi Vibhor,

You're right, they insist for the traffic to go out using .52. They said it will resolve the SPF issues.

so your advise is i remove below

object network Exch-SMTP
 nat (VLAN20,outside) static 110.74.132.52 service tcp smtp smtp 
object network Exch-POP3
 nat (VLAN20,outside) static 110.74.132.52 service tcp pop3 pop3 
object network Exch-SMTPS
 nat (VLAN20,outside) static 110.74.132.52 service tcp 587 587 

 

and substitute with  

object network obj-ExchageServer

host 10.1.20.2

NAT (inside,outside) dynamic 110.74.132.52

Hi,

No , actually..

You need to remember that the Static PAT Ex.:-

object network Exch-SMTP
 nat (VLAN20,outside) static 110.74.132.52 service tcp smtp smtp 

Will allow the Inbound connection on the SMTP port. But for the Traffic outbound , it the source port is smtp[unlikely as the shource port is randomly selected for every connection] , then only the Mapped Ip will be 110.74.132.52 , otherwise it will use the Interface Dynamic PAT.

Thus to get this to work , you need all the Static PAt statements as well as the Dynamic NAT for the outbound connection with it.

This should resolve the issue for you.

Also , once you apply this configuration , clear out the previous connections for the server as there might be some still using the interface ip.

clear local-host <IP address>

Thanks and Regards,

Vibhor Amrodia

Hi all, 

Thanks for all the contribution. 
Yes case resolved.

Hi,

From your posted configuration, I can see that your Exchange server is already using the public ip 110.74.132.52, means that email server is already seen to the internet (outside world) with that public ip, so if your intention to change the ASA outside ip address is to let the Exchange server exit with the ip address 110.74.132.52 then that would not solve any issue since as mentioned before that Exchange server is already mapped to the ip address 110.74.133.52. I would try to solve the SPF issue by adding the appropriate SPF record on the registrant provider, ASA would not be the cause of SPF checking failure instead it would be due to some misconfigured or missing SPF record at the registrant, but beside that, please note that if you go to assign the ASA outside interface with the same ip address used in the static natting (110.74.132.52) you would lose all those static nats mapped to that ip address, ASA would delete them all.

Regards,

Aref

Hi, 

I did try to change it to. 52, NAT is not working,. It says that it is overlap with the Outside interface.

i try telnet 110.74.132.52 <port> (25,587,110,80) from outside, all is not working after change to .52

from my past experience, i did similar configuration of NAT to exchange server using other model of FW, the only different is the public IP is /30. The outside interface is the 10.x.x.b, and able to do NAT.

The only different with above config is the public ip is /29.

As mentioned in my previous post, you would still be able to do nat, it is possibile, but as I told you before, in case you are going to use the same ip address used on the outside interface, you need to use the keyword "interface" in the nat statement instead of the ip address itself.

Regards,

Aref

Hi,

Apologies for the delay.

Have you tried the Dynamic NAT with the .52 IP ?

If yes , send a packet tracer for the email server trying to go to the internet ?

packet input inside <Server Private IP> tcp <IP address> 3456 4.2.2.2 80 det

When you use a Static PAT , the device mapped to the port wil never use the same mapped IP for the Outbound traffic.

Let me know how it goes ?

Thanks and Regards,

Vibhor Amrodia

i did do the dynamic NAT as below

object network obj-Exch
 nat (VLAN20,outside) dynamic 110.74.132.52

 

here is the packet tracer

=~=~=~=~=~=~=~=~=~=~=
packet input VLAN20 tcp 10.1.20.2 3456 4.2.2.2 80 det
 
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside
 
Phase: 2
Type: NAT
Subtype: 
Result: ALLOW
Config:
object network obj-Exch
 nat (VLAN20,outside) dynamic 110.74.132.52
Additional Information:
Dynamic translate 10.1.20.2/3456 to 110.74.132.52/3456
 Forward Flow based lookup yields rule:
 in  id=0x7fff29380920, priority=6, domain=nat, deny=false
hits=143, user_data=0x7fff2a78b150, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.1.20.2, mask=255.255.255.255, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=VLAN20, output_ifc=outside
 
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff29b7e5b0, priority=0, domain=nat-per-session, deny=false
hits=34718, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
 
Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff2a6907c0, priority=0, domain=inspect-ip-options, deny=true
hits=16570, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=VLAN20, output_ifc=any
 
Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (any,outside) after-auto source dynamic any interface
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7fff29d52ee0, priority=6, domain=nat-reverse, deny=false
hits=10050, user_data=0x7fff2a7f2240, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=outside
 
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fff29b7e5b0, priority=0, domain=nat-per-session, deny=false
hits=34720, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
 
Phase: 7
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fff2a5dd570, priority=0, domain=inspect-ip-options, deny=true
hits=22591, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
 
Phase: 8
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 25944, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
 
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
 
Result:
input-interface: VLAN20
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
 
 
ASHFW01# 

That would be normal, since you assigned that ip address on the outside interface, but you would still be able to do it by using the "interface" key instead of the ip address, example:

object network Exch-SMTP
 nat (VLAN20,outside) static interface service tcp smtp smtp

Regards,

Aref

Review Cisco Networking for a $25 gift card