10-07-2013 11:13 AM - edited 03-11-2019 07:48 PM
hi all,
here my Network setup, and i am going to get the ASA 5515x device .
i have 3 different local network and 2 WAN connections.
LAN 1 -- 10.1.1.0/24 --local users
LAN2 -- 10.1.2.0 /24 -- servers
LAN3 -- 10.1.3.0/24--guest internet
WAN1 - ADSL Line with dynamic ip (Internet fot the local Users and Guest)
WAN2 -- Lease Line with Static ip (For Email and web applications)
these are my network details.
1. i want to pass all the internet traffic using ADSL line (Users and guest users)
2.For servers like email and Application the internet traffic has to go with ADSL but the port forwarding for email and web apps through leased line and only email server the internet traffic also need to pass with leased line.
3.i know by default in ASA 5500 series we cannt add 2 default routes.
is there any changes in the 5515X series or otherwise we can achieve this by NAT & Global Commnads.
4. the server and local network should be communicatable i dont have any L3 device so we need allow traffic between different zones.
thanks in advance, waiting for points.
cyril
Solved! Go to Solution.
10-16-2013 11:31 PM
Hi,
I guess you reverted the configurations to get it working again?
I would have liked the "packet-tracer" output simulating the connections that werent working at the moment of your last post.
It seems to me though that one problem might have been with the "Edge_email" server. This is because you seem to use the same public IP address for servers behind 2 different interfaces and you had those special Dynamic PAT configurations I suggest in between Static PAT (Port Forward) configurations. There Dynamic PAT configuration might have stopped a couple of the last Static PAT configurations from working.
So would really need to know what the specific problem was the last time so we can avoid causing any further problems for any users.
If I would have to guess on the basis of the attached configuration what the problem was then I would have to guess that it was the following
nat (inside,Server) source static LAN-NW LAN-NW destination static Server_NW Server_NW
nat (dmz,Server) source static DMZ_NW DMZ_NW destination static Server_NW Server_NW
nat (Server,LL) source static Email_Srv Email-Pub service Email_443 Email_443
nat (Server,LL) source static Email_Srv Email-Pub service Email-143 Email-143
nat (Server,LL) source static Email_Srv Email-Pub service Email-465 Email-465
nat (Server,LL) source static Email_Srv Email-Pub service Eamil-993 Eamil-993
nat (Server,LL) source dynamic Email_Srv Email-Pub destination static ALL ALL
nat (dmz,LL) source static Edge_Email Email-Pub service Edge_25 Edge_25
nat (dmz,LL) source static Edge_Email Email-Pub service Edge_80 Edge_80
nat (dmz,LL) source dynamic Edge_Email Email-Pub destination static ALL ALL
The "nat" marked with RED should have been moved at the bottom so it wont interfere with the 2 Static PAT configuration below marked with GREEN.
- Jouni
10-07-2013 11:41 AM
Hi,
The 2.) section is a bit confusing. You first say that EMAIL and APP servers need to use the ASDL connection. Then you mentioned that the incoming connections should be possible for EMAIL and APP servers from the LEASED connection. And finally you mentioned the EMAIL server should use LEASED?
So which way is it? Should EMAIL server use ASDL for outbound connections or LEASED? Or do you perhaps want some outbound connections from EMAIL server to use ADSL and some use LEASED?
Essentially you can let the ASDL interface on the ASA install the active default route for the ASA and you can then (if needed) use NAT configurations on the ASA to force the required traffic out of the LEASED link. The LEASED interface will also require a default route configured staticly but it should be then configured with a worse distance metric.
With the above idea you could essentially have your users and servers use the ASDL line for outbound connections while external users could still connect to the servers through the LEASED connection even though it doesnt hold the active default route.
Now if you wanted some of the EMAIL server traffic to go out of LEASED rather than ASDL connection (perhaps send the mail through the LEASED but all other through ADSL?) then you would have to resort to a NAT configuration to handle the forwarding of that traffic through LEASED while even after that all other traffic from EMAIL server would flow outbound through the ADSL link.
So first we would have to make it clear through which external connection the servers should form their connections. Since it seems you want to use the ASDL line mainly for all connections formed outbound from your LAN/DMZ networks it should be pretty simple to configure.
- Jouni
10-07-2013 08:49 PM
hi jouni,
sorry for the confusion ,
if i need to route all the traffic through leased line only for email servers,
how i can configure NAT config
example : nat(server) 2 10.1.2.10 255.255.255.255
global(LL) 2 XX.XX.XX.XX -- leased line ip
is that correct?
thanks
cyril
10-08-2013 03:46 AM
Hi,
The "global" and "nat" configurations you mention above dont exist anymore on the newer ASA firewalls and new software levels. The NAT configuration format and operation were totally overhauled in the 8.3 software and the minimum software level for your new ASA5500-X Series unit is 8.6(1)
Here are some basic configurations which I assume you would need. Most of them are very basic but when we are talking about manipulating the WAN interface chosen for some hosts then we need a bit unordinary NAT configurations.
Do take into account that I have not tested these specific configurations in a live network environment or network lab.
interface GigabitEthernet0/0
description ASDL
nameif ASDL
security-level 0
ip address dhcp setroute
interface GigabitEthernet0/1
description LEASED
nameif LEASED
security-level 0
ip address 1.1.1.2 255.255.255.248
route LEASED 0.0.0.0 0.0.0.0 1.1.1.1 254
interface GigabitEthernet0/2
description LOCAL USERS
nameif LAN
security-level 100
ip address 10.1.1.1 255.255.255.0
interface GigabitEthernet0/3
description SERVERS
nameif SERVER
security-level 50
ip address 10.1.2.1 255.255.255.0
interface GigabitEthernet0/4
description GUEST
nameif GUEST
security-level 10
ip address 10.1.3.1 255.255.255.0
object network LAN
subnet 10.1.1.0 255.255.255.0
object network SERVERS
subnet 10.1.2.0 255.255.255.0
object network GUEST
subnet 10.1.3.0 255.255.255.0
object network MAIL-SERVER
host 10.1.2.100
object service SMTP-IN
service tcp source eq 25
object network ANY-0.0.0.0-1
subnet 0.0.0.0 128.0.0.0
object network ANY-128.0.0.0-1
subnet 128.0.0.0 128.0.0.0
object-group network ALL
network-object object ANY-0.0.0.0-1
network-object object ANY-128.0.0.0-1
(Section 1 Manual NAT)
nat (LAN,SERVERS) source static LAN LAN destination static SERVERS SERVERS
nat (SERVERS,LEASED) source static MAIL-SERVER interface service SMTP-IN SMTP-IN
nat (SERVERS,LEASED) source dynamic MAIL-SERVER interface destination static ALL ALL
No Section 2 Auto NAT Used!
Section 3 Manual NAT
nat (LAN,ADSL) after-auto source dynamic LAN interface
nat (SERVERS,ADSL) after-auto source dynamic SERVERS interface
nat (GUEST,ASDL) after-auto souce dynamic GUEST interface
The idea with the above configurations is that we
I would imagine its a bit hard to explain why the above NAT configurations looks like that so I probably best go through them in order from top to bottom (in the process they are processed by the ASA) to try to clear things up. Again I have to note though that this is not a tested configurations.
nat (LAN,SERVERS) source static LAN LAN destination static SERVERS SERVERS
The above configurations is inserted first into the configurations to make sure that local traffic between the LAN and SERVERS network will work and wont be affected by the later coming NAT rules.
nat (SERVERS,LEASED) source static MAIL-SERVER interface service SMTP-IN SMTP-IN
The above configurations is inserted next to basically configure Static PAT (Port Forward) so that the MAIL-SERVER can be contacted through the LEASED connection. Again the ordering of the NAT rule like this is key so that the following rule doesnt interfere with its operation.
nat (SERVERS,LEASED) source dynamic MAIL-SERVER interface destination static ALL ALL
The above configurations is probably the most unusual one. This essentially specifies that the MAIL-SERVER should be Dynamic PATed to the LEASED interface IP address when its destination is ANY destination IP address. This will essentially mean that the traffic from the MAIL-SERVER will be forwarded out through LEASED interface (EXCEPT for the first mentioned traffic between LAN and SERVERS interfaces)
nat (LAN,ADSL) after-auto source dynamic LAN interface
nat (SERVERS,ADSL) after-auto source dynamic SERVERS interface
nat (GUEST,ASDL) after-auto souce dynamic GUEST interface
The above configurations are just normal Dynamic PAT configurations for all the local networks and they use the ADSL interface. There is no default route in the above configurations for the ADSL interface because the interface is configured to get the default route automatically though the DHCP process with the parameter "set route"
Naturally you will have to take into account that the above configurations just enable one server to use the LEASED interface and only forward a single service through the LEASED interface. So judging from your original post you would probably need Static PAT (Port Forward) configurations for other services and servers even. You might also need NAT configurations that forward other servers traffic also through only the LEASED interface.
Hope this made any sense
Please do remember to mark a reply as the correct answer if it answered your question or rate helpfull answers.
Feel free to ask more if needed though
- Jouni
10-10-2013 05:43 AM
hi Jouni,
here my config,
my internet and PAT is working only this my email server has to nat all the traffic with the specific ip.
only that is not happening ,
because of that my mail server is not authenticating the email because it is going with ADSL Ip address.
ASA Version 9.1(1)
!
hostname ALAIN-FW
enable password ZYx9xaV1.cM.IUcY encrypted
passwd M5Z8qN9wxh2rt.Wo encrypted
names
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 192.168.45.2 255.255.255.248
!
interface GigabitEthernet0/1
nameif LL
security-level 0
ip address X.X.X.X 255.255.255.252
!
interface GigabitEthernet0/2
nameif inside
security-level 100
ip address 10.10.10.213 255.255.255.0
!
interface GigabitEthernet0/3
nameif Server
security-level 100
ip address 10.25.31.1 255.255.255.224
!
interface GigabitEthernet0/4
nameif dmz
security-level 100
ip address 172.16.0.1 255.255.255.240
!
interface GigabitEthernet0/5
nameif Guest
security-level 10
ip address 192.168.74.129 255.255.255.0
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa911-smp-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
object network LAN-NW
subnet 10.10.10.0 255.255.255.0
object network Server_NW
subnet 10.25.31.0 255.255.255.224
object network Guest_NW
subnet 192.168.74.0 255.255.255.0
object network DMZ_NW
subnet 172.16.0.0 255.255.255.240
object network Email_Srv
host 10.25.31.16
object network Edge_Email
host 172.16.0.2
object service Eamil-993
service tcp source eq 993
object service Email-143
service tcp source eq imap4
object service Email-465
service tcp source eq 465
object service Email_443
service tcp source eq https
object service Edge_25
service tcp source eq smtp
object service Edge_80
service tcp source eq www
object network Email-Pub
host 83.111.102.180
object network All
subnet 0.0.0.0 0.0.0.0
object service Email-443
service tcp source eq https
object-group service Email_Service_Srv
service-object object Email-143
service-object object Eamil-993
service-object object Email-465
service-object object Email_443
object-group service Edge_Email_DMZ
service-object object Edge_25
service-object object Edge_80
access-list DMZ-In extended permit ip 172.16.0.0 255.255.255.240 10.25.31.0 255.255.255.224
access-list DMZ-In extended permit ip 172.16.0.0 255.255.255.240 10.10.10.0 255.255.255.0
access-list DMZ-In extended permit ip host 172.16.0.2 any log
access-list LL-Server extended permit tcp any object Email_Srv eq 993
access-list LL-Server extended permit tcp any object Email_Srv eq 465
access-list LL-Server extended permit tcp any object Email_Srv eq https
access-list LL-Server extended permit tcp any object Edge_Email eq smtp log errors
access-list LL-Server extended permit tcp any object Email_Srv eq imap4
access-list LL-Server extended permit tcp any object Edge_Email eq www
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu LL 1500
mtu inside 1500
mtu Server 1500
mtu dmz 1500
mtu Guest 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Server,LL) source static Email_Srv Email-Pub service Email_443 Email_443
nat (Server,LL) source static Email_Srv Email-Pub service Email-143 Email-143
nat (Server,LL) source static Email_Srv Email-Pub service Email-465 Email-465
nat (Server,LL) source static Email_Srv Email-Pub service Eamil-993 Eamil-993
nat (dmz,LL) source static Edge_Email Email-Pub service Edge_25 Edge_25
nat (dmz,LL) source static Edge_Email Email-Pub service Edge_80 Edge_80
nat (Server,any) source static Email_Srv Email-Pub
nat (dmz,any) source static Edge_Email Email-Pub
!
object network LAN-NW
nat (inside,Outside) dynamic interface dns
object network Guest_NW
nat (Guest,Outside) dynamic interface dns
!
nat (dmz,Outside) after-auto source dynamic DMZ_NW interface
nat (Server,Outside) after-auto source dynamic Server_NW interface dns
access-group LL-Server in interface LL
route Outside 0.0.0.0 0.0.0.0 192.168.45.1 1
route LL 0.0.0.0 0.0.0.0 Y.Y.Y.Y 2
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.10.10.0 255.255.255.0 inside
http 10.25.31.0 255.255.255.224 Server
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 10.10.10.0 255.255.255.0 inside
telnet 10.25.31.0 255.255.255.224 Server
telnet timeout 5
ssh 213.42.27.74 255.255.255.255 LL
ssh 213.42.27.178 255.255.255.255 LL
ssh 10.10.10.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.74.21-192.168.74.125 Guest
dhcpd dns 213.42.20.20 195.229.241.222 interface Guest
dhcpd lease 14400 interface Guest
dhcpd enable Guest
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password yy2L/qRRUR2kh3.Z encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:61d21cd299674d078a2f81b6aa88855d
: end
ALAIN-FW#
10-10-2013 06:01 AM
Hi,
It seems that the NAT configurations you have dont really reflect what I originally suggested.
There is no configurations that would force the EMAIL server to use the LL link for external traffic.
If you are going to implement that and also want the INSIDE and SERVER segment talk to eachother with local IP address then you would probably need these configurations
nat (inside,Server) 1 source static LAN-NW LAN-NW destination static Server_NW Server_NW
object network ANY-0.0.0.0-1
subnet 0.0.0.0 128.0.0.0
object network ANY-128.0.0.0-1
subnet 128.0.0.0 128.0.0.0
object-group network ALL
network-object object ANY-0.0.0.0-1
network-object object ANY-128.0.0.0-1
nat (Server,LL) 6 source dynamic Email_Srv Email-Pub destination static ALL ALL
Do notice that with the above configurations
With the above in mind if you have any need for the EMAIL SERVER to communicate with DMZ hosts/server for example you would need extra NAT configurations.
- Jouni
10-10-2013 06:44 AM
10-10-2013 07:05 AM
Hi,
Can you simulate a packet coming from that server to the Internet with the "packet-tracer"
packet-tracer input
This should tell us what the problem might be
Naturally to avoid prolonging the problem I would suggest reverting back to the original NAT configurations after you have taken the "packet-tracer" output.
I just noticed that you are using the same public IP address for 2 different servers on 2 different local interface? This will atleast cause problems for incoming connections but I would be interested to see what exactly is causing problems with outbound connections from the server.
- Jouni
10-16-2013 11:29 AM
hi jouni,
sorry for the late reply,
we are in holidays so thats why i am not able to provide the detail which you asked me.
i will provide the detail once holidays are over
is there anything else missing on the config?
thanks
cyril
10-16-2013 11:31 PM
Hi,
I guess you reverted the configurations to get it working again?
I would have liked the "packet-tracer" output simulating the connections that werent working at the moment of your last post.
It seems to me though that one problem might have been with the "Edge_email" server. This is because you seem to use the same public IP address for servers behind 2 different interfaces and you had those special Dynamic PAT configurations I suggest in between Static PAT (Port Forward) configurations. There Dynamic PAT configuration might have stopped a couple of the last Static PAT configurations from working.
So would really need to know what the specific problem was the last time so we can avoid causing any further problems for any users.
If I would have to guess on the basis of the attached configuration what the problem was then I would have to guess that it was the following
nat (inside,Server) source static LAN-NW LAN-NW destination static Server_NW Server_NW
nat (dmz,Server) source static DMZ_NW DMZ_NW destination static Server_NW Server_NW
nat (Server,LL) source static Email_Srv Email-Pub service Email_443 Email_443
nat (Server,LL) source static Email_Srv Email-Pub service Email-143 Email-143
nat (Server,LL) source static Email_Srv Email-Pub service Email-465 Email-465
nat (Server,LL) source static Email_Srv Email-Pub service Eamil-993 Eamil-993
nat (Server,LL) source dynamic Email_Srv Email-Pub destination static ALL ALL
nat (dmz,LL) source static Edge_Email Email-Pub service Edge_25 Edge_25
nat (dmz,LL) source static Edge_Email Email-Pub service Edge_80 Edge_80
nat (dmz,LL) source dynamic Edge_Email Email-Pub destination static ALL ALL
The "nat" marked with RED should have been moved at the bottom so it wont interfere with the 2 Static PAT configuration below marked with GREEN.
- Jouni
10-25-2013 11:11 AM
hi jouni,
tomorrow i am going to do the following chages and as well the trace which you asked me .
maybe i need your help to solve the issue.
thanks
cyril
10-25-2013 11:24 AM
Hi,
Its a bit risky when you have to use NAT configurations to make ASA handle traffic differently.
You said that after the last change the mail servers Internet connection stopped working?
Which one of these stopped working?
object network Email_Srv
host 10.25.31.16
object network Edge_Email
host 172.16.0.2
Was this all that stopped working? Were users and other servers able to connect to the Internet while the email server had problems?
Or was the email server problems for incoming connections from the Internet?
- Jouni
10-25-2013 11:56 AM
hi,
i checked only in the
object network Email_Srv
host 10.25.31.16 the internet was not working and the rest of the server i didnt check on that time. but
the incoming connections was working on ports
10-31-2013 06:42 AM
hi ,
after moving the nat it started working
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide