08-20-2012 01:00 AM - edited 03-11-2019 04:43 PM
Hi!
There is something wrong with the ordering of our NAT-rules.
We are running ASA Version 8.4(2)8 and the nat config is pasted below.
I want outgoing smtp-traffic to be translated to xxx.yyy.zzz.18, but instead it's translated to xxx.yyy.zzz.20 (the outside-interface address).
The same goes for ftp-traffic, according to packettracer this is also translated to the xxx.yyy.zzz.20.
Ciscos manual states that static nat rules takes precedence over dynamic nat but that doesn't seem to work for us.
Can you guy's see anything wrong with the config below?
nat (Outside,Inside) source static Company-VPN Company-VPN
!
object network Company-LAN
nat (any,Outside) dynamic interface
object network Server21
nat (any,any) static Outsidexxx.yyy.zzz-18 service tcp ftp ftp
object network Server55443
nat (any,any) static Outsidexxx.yyy.zzz-18 service tcp 55443 55443
object network Server443
nat (any,any) static Outsidexxx.yyy.zzz-18 service tcp https https
object network Server993
nat (any,any) static Outsidexxx.yyy.zzz-18 service tcp 993 993
object network Server465
nat (any,any) static Outsidexxx.yyy.zzz-18 service tcp 465 465
object network Server80
nat (any,any) static Outsidexxx.yyy.zzz-18 service tcp www www
object network Company-LAN-Inside
nat (Inside,Inside) dynamic interface
object network Server25
nat (any,any) static Outsidexxx.yyy.zzz-18 service tcp smtp smtp
route Outside 0.0.0.0 0.0.0.0 xxx.yyy.zzz.17 1
08-20-2012 01:20 AM
Hi,
Think your NAT configuration regarding SMTP only applies to the connections taken from outside with destination port TCP/25 and not to connections taken by the SMTP server with destination port TCP/25
Haven't had to do much of these configurations. I guess with the old OS NAT commands it would be easier (Policy NAT)
I can try to lab this later and provide the correct configuration. Unless someone else can already copy/paste some example for you.
- Jouni
08-20-2012 01:59 AM
I thought (any,any) would handle connections from both outside and inside interface.
How would a network object NAT that handles traffic both ways look?
- Fredrik
08-20-2012 02:09 AM
Gah, too tired. Will write the reply again
EDIT: removed the actual answer since there was errors there
08-20-2012 02:22 AM
Ok,
So lets look at this again.
I guess you have a .20 IP address on the firewall outside interface and the .18 IP address as an additional IP address and you have used port forwarding to forward ports to different LAN IP addresses? In other words the SMTP server doesnt have its own public IP address?
- Jouni
08-20-2012 02:45 AM
That's correct, the SMTP-server does not have it's own public IP.
- Fredrik
08-20-2012 03:16 AM
Ok,
Attempt Number 2.
Heres my test configurations.
object network SMTP-SERVER
host 10.10.10.123
nat (inside,outside) static 1.2.3.4 service tcp smtp smtp
object network HTTPS-SERVER
host 10.10.10.124
nat (inside,outside) static 1.2.3.4 service tcp https https
object network SMTP-SERVER-PUBLIC
host 1.2.3.4
object service SMTP
service tcp destination eq smtp
nat (inside,outside) source static SMTP-SERVER SMTP-SERVER-PUBLIC service SMTP SMTP
nat (inside,outside) after-auto source dynamic any interface
I guess you could try your own version of the above. To be honest the actual configuration that does the NAT for outbound SMTP traffic isnt that clear to me either. Should cheat and check the command reference myself.
I'm not 100% sure if the above NAT configuration might conflict with some future configuration in its current form.
Hope this helps
- Jouni
EDIT: If you havent already used, you can use "packet-tracer" command to check whats happening with NAT before and after the configurations. And ofcourse "show xlate" etc.
08-20-2012 05:03 AM
Hi,
Were you able to test this?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide