Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
448
Views
5
Helpful
5
Replies

ASA 5516 (FPS) - NAT question

jmckechnie
Level 1
Level 1

‎10-11-2016 08:39 AM - edited ‎03-12-2019 01:22 AM

The above image is the log of the command first without service, then with services circled in red.

 

Hi,

I have an ASA 5516. This provides Internet and VPN services. It is setup to route in/outbound mail from our mail server. I am having an issue with the NAT command that translates the mail_server address.

In short when I use this command

nat (inside,outside) static mail_route service tcp smtp smtp

The mail_server appears to NAT using the PAT address 1.1.1.131. This address is not configured on our cloud mail gateway and is bounced back.  

If I remove the service part of the command service tcp smtp smtp

nat (inside,outside) static mail_route

The mail_server then NATs on the 1.1.1.132 address as desired. But I am not able to specify the service???? I have this configured on another ASA located at a different site and it is working fine.  

There is no outbound ACL configured.

Here is an extract of the relevant config;

object network PAT_Address
 host 1.1.1.131
 description Global PAT IP address for Internet Breakout

object network mail_route
 host 1.1.1.132
 description Outbound address for Mail server
 
object network mail_server
 host 172.16.4.103
 description Mail Server Appliance
 
 object-group network PAT_Group
 description ranges for Internet Breakout
 network-object 192.168.1.0 255.255.255.0
 network-object 192.168.2.0 255.255.255.0
 network-object 192.168.3.0 255.255.255.0
 network-object 172.16.4.0 255.255.252.0
 

nat (inside,outside) source static VPNNetworks VPNNetworks destination static VPNRange VPNRange no-proxy-arp
nat (inside,outside) source static APN_Networks1 APN_Networks1 destination static APN_Networks2 APN_Networks2 no-proxy-arp route-lookup

object network mail_server
 nat (inside,outside) static mail_route service tcp smtp smtp

nat (inside,outside) after-auto source dynamic PAT_Group PAT_Address

I have tried to pull together the relevant info let me know if you need anything else. 

Any help or advice would be appreciated.

Thanks

John

Labels:
0 Helpful
5 Replies 5

Pulkit Saxena
Cisco Employee
Cisco Employee

‎10-12-2016 05:22 AM

John,

The NAT command with service keyword is a unidirectional NAT statement or bidirectional with a condition. 

When you have service enabled on the NAT, it is a static PAT, which is usually used for inbound access and anyone from outside coming on the mapped IP on port 25 is allowed to go to the internal server on port 25 and the return traffic is allowed due to the statefull nature of the device.

However, when you have static NAT, it is bidiretional and thus it works the same way from out to in but also at the same time, when a new traffic is initiated by the inside server which will most probably use a random source port, the same NAT statement gets a hit and thus is recognized outside too.

When you do have a service keyword, and the mail server is using a random source port, your NAT with service keyword is not taking a hit and is thus failing to the NAT which is used for PAt'ing.

Hope this answers. Feel free to ask any further query, as I have made my answer a little clumsy.:)

Running a packet tracer tells you the exact flow.

-

Pulkit

Please rate useful posts.

0 Helpful

jmckechnie
Level 1
Level 1
In response to Pulkit Saxena

‎10-17-2016 08:29 AM

Pulkit,

Thanks for your response, sorry its taken a while to reply. So from what you can see it is because the mailserver is generating random port numbers? 

John

0 Helpful

Pulkit Saxena
Cisco Employee
Cisco Employee
In response to jmckechnie

‎10-17-2016 05:54 PM

John,

Yes and thus is it using some other NAT statement.

Regards,

Pulkit

jmckechnie
Level 1
Level 1
In response to Pulkit Saxena

‎10-18-2016 04:30 AM

I just checked through my other ASA config and can see why it is working, I have a another PAT configured there as below, so this is taking care of the random port numbers. I don't have this rule on the firewall I queried. It all makes sense now. Thanks so much for your help.

nat (inside,outside) after-auto source dynamic Webmail_PAT_Group Webmail_PAT_Address

If I could ask one more quick question? Do you see an advantage in using the service part of the command? 

We already have an ACL with the service specified for Incoming. My thinking is that it provides some extra security, would you agree?

John 

0 Helpful

Pulkit Saxena
Cisco Employee
Cisco Employee
In response to jmckechnie

‎10-18-2016 06:00 AM

John,

You are welcome.

It all depends on your requirement, but yes service adding service part is to make it more specific and thus helps.

Regards,

Pulkit

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card