I currently have an exchange environment that consists of four cas servers. I have a load balancer in place which I nat to one public IP address.
The problem is when my cas servers send email it doesn't show as the same ip as the one for the load balancer. I know that I don't have this configured but wondering how to configure it.
With the version of Asa that I'm on can I make all four servers use the same external ip for outbound traffic and use only specific ports to the load balancer for incoming?
Should be a many to one nat I believe. How can I configure this with ASDM?
To my understanding the Dynamic PAT above should apply to the connections the "inside" hosts take towards "outside"
The "static" commands Port Forward should to my understanding work at the same time. It should make it possible for any "outside" host to connect with the specified port and protocol to the single LAN host using the same public IP address the other hosts are using for outbound connections.
When that port forward is configured, you should be able to test it with the ASAs "packet-tracer" command
packet-tracer input outside tcp
The output should tell us what NAT rule the traffic is hitting. For example the TCP/80 destination port traffic that is supposed to be forwarded to the single host on the LAN.
At the moment I cant really comment on the ASDM version of the configuration as I dont use ASDM and my ASA is running newer software and NAT configuration format.
I imagine if you want to use the public IP address that is being used for Static NAT at the moment for the single local IP address, you could change it to something like this on the CLI
10.10.10.1 - 4 = Are all of the server IP addresses
10.10.10.4 = Is the IP address needing the ports forwarded from public network
1.2.3.4 = Is an example public IP address
Atleast to my understanding it could be done in the above mentioned way. You could change the NAT for all the 4 hosts to be a Policy PAT perhaps if you dont want to configure 4x "nat" lines.
To use a global pool I have to use a dynamic policy. When I do that it does seem to work. I tested it on a couple servers and they do go out on that ip (both of them), but the problem is allowing external access on that IP to go to a specfic server.
So:
10.1.11.1 -> 1.2.3.4
10.1.11.2 -> 1.2.3.4
Works
but I can't seem to get
1.2.3.4 -> 10.1.11.1 (port 80) to work when I have that configured
To my understanding the Dynamic PAT above should apply to the connections the "inside" hosts take towards "outside"
The "static" commands Port Forward should to my understanding work at the same time. It should make it possible for any "outside" host to connect with the specified port and protocol to the single LAN host using the same public IP address the other hosts are using for outbound connections.
When that port forward is configured, you should be able to test it with the ASAs "packet-tracer" command
packet-tracer input outside tcp
The output should tell us what NAT rule the traffic is hitting. For example the TCP/80 destination port traffic that is supposed to be forwarded to the single host on the LAN.
