02-26-2013 08:39 AM - edited 03-11-2019 06:06 PM
I currently have an exchange environment that consists of four cas servers. I have a load balancer in place which I nat to one public IP address.
The problem is when my cas servers send email it doesn't show as the same ip as the one for the load balancer. I know that I don't have this configured but wondering how to configure it.
With the version of Asa that I'm on can I make all four servers use the same external ip for outbound traffic and use only specific ports to the load balancer for incoming?
Should be a many to one nat I believe. How can I configure this with ASDM?
Sent from Cisco Technical Support iPhone App
Solved! Go to Solution.
02-26-2013 10:10 AM
Hi,
Looking at the configuration I posted (and the similiar one in the PDF)
global (outside) 100 1.2.3.4
nat (inside) 100 10.10.10.1 255.255.255.255
nat (inside) 100 10.10.10.2 255.255.255.255
nat (inside) 100 10.10.10.3 255.255.255.255
nat (inside) 100 10.10.10.4 255.255.255.255
static (inside,outside)
To my understanding the Dynamic PAT above should apply to the connections the "inside" hosts take towards "outside"
The "static" commands Port Forward should to my understanding work at the same time. It should make it possible for any "outside" host to connect with the specified port and protocol to the single LAN host using the same public IP address the other hosts are using for outbound connections.
When that port forward is configured, you should be able to test it with the ASAs "packet-tracer" command
packet-tracer input outside tcp
The output should tell us what NAT rule the traffic is hitting. For example the TCP/80 destination port traffic that is supposed to be forwarded to the single host on the LAN.
- Jouni
02-26-2013 08:46 AM
Hi,
At the moment I cant really comment on the ASDM version of the configuration as I dont use ASDM and my ASA is running newer software and NAT configuration format.
I imagine if you want to use the public IP address that is being used for Static NAT at the moment for the single local IP address, you could change it to something like this on the CLI
global (outside) 100 1.2.3.4
nat (inside) 100 10.10.10.1 255.255.255.255
nat (inside) 100 10.10.10.2 255.255.255.255
nat (inside) 100 10.10.10.3 255.255.255.255
nat (inside) 100 10.10.10.4 255.255.255.255
static (inside,outside)
Where
Atleast to my understanding it could be done in the above mentioned way. You could change the NAT for all the 4 hosts to be a Policy PAT perhaps if you dont want to configure 4x "nat" lines.
- Jouni
02-26-2013 08:48 AM
Also,
This document contains an attached PDF file that has insruction to do this.
https://supportforums.cisco.com/docs/DOC-29170
Its on the page 55 / 86 and 56 / 86 of the PDF
- Jouni
02-26-2013 10:00 AM
To use a global pool I have to use a dynamic policy. When I do that it does seem to work. I tested it on a couple servers and they do go out on that ip (both of them), but the problem is allowing external access on that IP to go to a specfic server.
So:
10.1.11.1 -> 1.2.3.4
10.1.11.2 -> 1.2.3.4
Works
but I can't seem to get
1.2.3.4 -> 10.1.11.1 (port 80) to work when I have that configured
02-26-2013 10:10 AM
Hi,
Looking at the configuration I posted (and the similiar one in the PDF)
global (outside) 100 1.2.3.4
nat (inside) 100 10.10.10.1 255.255.255.255
nat (inside) 100 10.10.10.2 255.255.255.255
nat (inside) 100 10.10.10.3 255.255.255.255
nat (inside) 100 10.10.10.4 255.255.255.255
static (inside,outside)
To my understanding the Dynamic PAT above should apply to the connections the "inside" hosts take towards "outside"
The "static" commands Port Forward should to my understanding work at the same time. It should make it possible for any "outside" host to connect with the specified port and protocol to the single LAN host using the same public IP address the other hosts are using for outbound connections.
When that port forward is configured, you should be able to test it with the ASAs "packet-tracer" command
packet-tracer input outside tcp
The output should tell us what NAT rule the traffic is hitting. For example the TCP/80 destination port traffic that is supposed to be forwarded to the single host on the LAN.
- Jouni
02-26-2013 08:16 PM
I got it working. I added a static nat rule for the incoming and a static dynamic nat for the outgoing like you we're saying
Thanks for your help!
Sent from Cisco Technical Support iPhone App
02-26-2013 11:25 PM
Hi,
Glad you got it working
If some reply was the answer to the question, please mark it as the correct answer with the button in that reply.
Naturally you can provide the configuration you did to make it work also so others perhaps bumping into this thread can find the solution.
- Jouni
02-27-2013 03:57 AM
I can do that when I get to the office this morning. I tried with this mobile app but it didn't mark it as the answer. Maybe a bug or something
Sent from Cisco Technical Support iPhone App
02-28-2013 07:23 AM
Here is what I did:
[Global]
global (outside) 300 1.2.3.4 netmask 255.0.0.0
[Inbound] (Load Balancer)
static (Sub10,outside) 1.2.3.4 10.1.1.3 netmask 255.255.255.255 dns
[Outbound]
nat (Sub10) 300 10.1.1.1 255.255.255.255
nat (Sub10) 300 10.1.1.2 255.255.255.255
02-26-2013 10:07 AM
Ok I think I might have got it to work.
I created the global pool for 1.2.3.4.
Then I created a static nat for 10.1.11.1 3389 1.2.3.4 3389
Then for the other server (ones that don't have any outside to inside traffic) using a dynamic NAT rule for 10.1.0.24 to 1.2.3.4.
Then another dynamic NAT rule for 10.1.11.1 to 1.2.3.4.
So now 10.1.11.1 is allowing traffic from outside to inside on port 3389 but both 10.1.11.1 and 10.1.0.24 are going out on 1.2.3.4
Hopefully this is correct
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide