Solved: ASA Nating & configuration

lzakariya · ‎04-15-2013

Hello,

I have two companies and two different public IPs as well. I have enabled routing between two companies and two compny network can ping each other.

I am able able to access company 1 mail server (ip aaa.aaa.aaa.aaa) from outside through company1 asa using company1 public ip range xxx.xxx.xxx.xxx/28.

I am able able to access company 2 mail server (ip bbb.bbb.bbb.bbb) from outside through company2 asa using company2 public ip range yyy.yyy.yyy.yyy/28.

I can also ping from company1 asa inside interface to company2 asa inside interface and vice versa.

But what I need is, I want to configure access to company1 mail server from outside world using my company2 public ip range yyy.yyy.yyy.yyy on my company2 asa. the configuration I have made on company2 asa is as follows:

access-list ACL_OUT extended permit tcp any host yyy.yyy.yyy.yy1 eq www

static (Inside,Outside) tcp yyy.yyy.yyy.yy1 www aaa.aaa.aaa.aaa www netmask 255.255.255.255

access-group ACL_OUT in interface Outside

But this configuration is not working... I am still not able to access aaa.aaa.aaa.aaa from internet using yyy.yyy.yyy.yyy?

I couldnt find any other issues as both firewalls can ping each other. Please help me....

Jouni Forss · ‎04-16-2013

Hi,

I think you understood me wrong. (Or I understood your original setup wrong)

When the hosts on the Internet are connectng to the the Company 1 Server through the Company 2 ASA then naturally with the above described situation the Internet users IP address wont be NATed. It will be visible with its public IP address all the way to the Company 1 Server.

Now when the Company 1 Server tries to reply to that connection attempt it will naturally send traffic to that Public IP address of the user. This will be routed out of Company 1 ASA and NOT through the Company 2 ASA.

It would be totally different matter if the Internet hosts accessing the Company 1 Server through Company 2 ASA would be NATed to some internal LAN IP address on the Company 2 ASA before reaching the server. THEN the Company 1 Server would have a correct return route for that traffic and WOULD NOT have to use default route like in this situation.

- Jouni

View solution in original post

Jouni Forss · ‎04-15-2013

Hi,

You are probably expiriencing asymetric routing.

What I mean by that is that the connection from some Internet host is coming through the Company 2 ASA and goes all the way to the Company 1 Server. The return traffic however will be routed through the default route of Company 1.

And to give the same information in steps

Connection comes to Company 2 ASA public IP address
Company 2 ASA forward the connection to Company 1 Network and to the Company 1 Server
Company 1 Server receives the connection
Company 1 Server replies to the TCP connection forming and forwards the traffic out its default route
Company 1 ASA sends the Servers return traffic to the connecting host through its default route to outside
The return traffic to the external host will be visible from Company 1 Server public IP address instead of the Company 2 IP address to which the connection was originally opened towards.

- Jouni

Message was edited by: Jouni Forss

lzakariya · ‎04-16-2013

Dear JouniForss,

Thanks for your advise. But here the problem is, in company1 router I have configured a static route to company2 public ip range yyy.yyy.yyy.yyy should forward to company 2 network. If I configure the following steps on company 2 asa, I am able to ping to company2 public range for example router interface.

access-list ACL_in extended permit ip host aaa.aaa.aaa.aaa any

nat (Inside) 1 aaa.aaa.aaa.aaa 255.255.255.255

access-list ACL_OUT extended permit icmp host yyy.yyy.yyy.yyy any ///here it is the router ip

access-group ACL_OUT in interface Outside

access-group ACL_in in interface Inside

Jouni Forss · ‎04-16-2013

Hi,

I think you understood me wrong. (Or I understood your original setup wrong)

When the hosts on the Internet are connectng to the the Company 1 Server through the Company 2 ASA then naturally with the above described situation the Internet users IP address wont be NATed. It will be visible with its public IP address all the way to the Company 1 Server.

Now when the Company 1 Server tries to reply to that connection attempt it will naturally send traffic to that Public IP address of the user. This will be routed out of Company 1 ASA and NOT through the Company 2 ASA.

It would be totally different matter if the Internet hosts accessing the Company 1 Server through Company 2 ASA would be NATed to some internal LAN IP address on the Company 2 ASA before reaching the server. THEN the Company 1 Server would have a correct return route for that traffic and WOULD NOT have to use default route like in this situation.

- Jouni

lzakariya · ‎04-16-2013

Hello Journi,

Thank you very much for your valuable information.

Now, I configured a dynamic nat policy to translate all the ips coming on outside to a local ip and its working fine.

Thanks a lot for your support.

Jouni Forss · ‎04-16-2013

Hi,

Nice to hear that you got it working

Glad to be of help

- Jouni