Solved: ASA IOS 8.3 NAT

Fadil Kadrat · ‎05-07-2013

Hello Guys,

I am having an issue with an Exchange Server.

The issue that the exchange have an SMTP relay - Incoming and outgoing mail goes through that relay. The SMTP relay is on a dmz, while the mail server is on the inside.

To access the Web interface (OWA) users hit the mail server directly from internet.

I am trying to do the follewing nat:

IP addresses:

Public address of mail :10.80.80.5

Internal addreess of mail : 192.168.20.16

ip address of SMTP Relay: 172.30.30.5

object network exchange-public

host 10.80.80.5

nat (outside,inside) static 192.168.20.16 service tcp 443 443

nat (outside,dmz1) static 172.50.50.5 service tcp 25 25

exit

The IOS is only taking one nat entry in the network object.

Is ther another to perform the NAT???

Thanks

Fadil

Jouni Forss · ‎05-07-2013

Hi,

Is the example IP address 10.80.80.5 configured on the ASA "outside" interface or is it a spare IP address?

Heres example configurations for both situations

Separate Public IP address

object network EXCHANGE-PUBLIC

host 10.80.80.5

object network MAIL-SERVER-INTERNAL

host 192.168.20.16

nat (inside,outside) static EXCHANGE-PUBLIC service tcp 443 443

object network SMTP-RELAY

host 172.30.30.5

nat (dmz1,outside) static EXCHANGE-PUBLIC service tcp 25 25

access-list OUTSIDE-IN permit tcp any object MAIL-SERVER-INTERNAL eq 443

access-list OUTSIDE-IN permit tcp any object SMTP-RELAY eq 25

access-group OUTSIDE-IN in interface outside

The above will first define an "object" which holds the public IP address. The following 2 "object" hold the actual source IP address on your local network and the NAT configuration to enable access to those servers through the same public IP address on different TCP ports.

Using ASA "outside" interface IP address

object network MAIL-SERVER-INTERNAL

host 192.168.20.16

nat (inside,outside) static interface service tcp 443 443

object network SMTP-RELAY

host 172.30.30.5

nat (dmz1,outside) static interface service tcp 25 25

access-list OUTSIDE-IN permit tcp any object MAIL-SERVER-INTERNAL eq 443

access-list OUTSIDE-IN permit tcp any object SMTP-RELAY eq 25

access-group OUTSIDE-IN in interface outside

The above does otherwise the same as the first example but it uses the keyword/parameter "interface" to tell the ASA that the public IP address of the ASAs "outside" interface will be used for the NAT configurations.

Hope this helps

Remember to mark replys as correct answers if they answered your question. And/or rate helpfull answers

Ask more if needed

- Jouni

View solution in original post

Jouni Forss · ‎05-07-2013

Hi,

Is the example IP address 10.80.80.5 configured on the ASA "outside" interface or is it a spare IP address?

Heres example configurations for both situations

Separate Public IP address

object network EXCHANGE-PUBLIC

host 10.80.80.5

object network MAIL-SERVER-INTERNAL

host 192.168.20.16

nat (inside,outside) static EXCHANGE-PUBLIC service tcp 443 443

object network SMTP-RELAY

host 172.30.30.5

nat (dmz1,outside) static EXCHANGE-PUBLIC service tcp 25 25

access-list OUTSIDE-IN permit tcp any object MAIL-SERVER-INTERNAL eq 443

access-list OUTSIDE-IN permit tcp any object SMTP-RELAY eq 25

access-group OUTSIDE-IN in interface outside

The above will first define an "object" which holds the public IP address. The following 2 "object" hold the actual source IP address on your local network and the NAT configuration to enable access to those servers through the same public IP address on different TCP ports.

Using ASA "outside" interface IP address

object network MAIL-SERVER-INTERNAL

host 192.168.20.16

nat (inside,outside) static interface service tcp 443 443

object network SMTP-RELAY

host 172.30.30.5

nat (dmz1,outside) static interface service tcp 25 25

access-list OUTSIDE-IN permit tcp any object MAIL-SERVER-INTERNAL eq 443

access-list OUTSIDE-IN permit tcp any object SMTP-RELAY eq 25

access-group OUTSIDE-IN in interface outside

The above does otherwise the same as the first example but it uses the keyword/parameter "interface" to tell the ASA that the public IP address of the ASAs "outside" interface will be used for the NAT configurations.

Hope this helps

Remember to mark replys as correct answers if they answered your question. And/or rate helpfull answers

Ask more if needed

- Jouni

Fadil Kadrat · ‎05-08-2013

Hi Jouni,

Thank for your rep.

The 10.80.80.5 address is spare IP on my outside interface. The NAT from 10.80.80.5 to to public ip of my mail server is performed on the edge router, which is directly connected to the ASA.

I have use a similar config as in ur 1st exemple except that in my outside ACL i have use the real IP , i.e 192.168.20.16/172.30.30.5 instead of MAIL-SERVER-INTERNAL/SMTP-RELAY.

Do i have to use objects in my ACL, as currently with ip add in my ACL it does not work.

Thanks

Fadil

Jouni Forss · ‎05-08-2013

Hi,

The "object" that I used in the ACLs are the objects that hold both the Real IP address and the NAT configuration.

So it should use the Real IP address under the "object" in the ACL.

You can configure this by simply using "show access-list " and it should show the IP address under the "object".

So of the IP addresses 192.168.20.16 and 172.30.30.5 are the real IP addresses then the above configuration I mentioned should work with regards the ACL also.

One of the idea of the new NAT format and the ACL using the "object" is to make the rule building and management easier. For example consider that the other server on your local network is switched with a newer one and you device to configure it with another local IP address and are going to use the same NAT configuration for it.

You would then simply go under the "object network" configuration of the existing object and issue the new Host IP address with the "host" command. And since we are using the "object" in the ACL, the ACL would naturally be automatically updated to use the correct IP address.

- Jouni