cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1173
Views
0
Helpful
12
Replies

ASA outside overrides source NAT

Erik Boss
Level 1
Level 1

Hi,

I have a strange situation I'll explain.

Several days ago a customer got their new internetconnection, /30 for WAN and a routed /29 subnet.

My colleague went to the customer, changed everything and everything worked well.

Now we used one IP-address from the routed subnet for natting to our cloud.

After the change we saw in the mailheader the outside IP-address in stead of the routed IP-address.

In my opinion NAT goes before routing and no route lookup is enabled.

nat (Outside-glas,Inside) source static any any destination static Extern-Mailserver MailServer service smtp smtp 

and I tried

object network Mailserver-SMTP
nat (Inside,Outside-glas) static 89.255.2.195 service tcp smtp smtp

Also when I start a packet tracer, routing goes through the outside interface.

Return traffic is natted correctly.

When I capture it, I receive a nop nop, so it's not operational, why?

The ASA version 8.4(2) should work well with this configuration.

12 Replies 12

GRANT3779
Spotlight
Spotlight

Do you have other NAT configuration on the ASA?

Can you post output of the following commands

show nat

show run nat

Thanks

show run nat

nat (Outside-glas,Inside) source static 90.145.69.50 90.145.69.50 destination static 89.255.2.194 192.168.0.23 service TCP_35300 TCP_35300 description VOIP
nat (Inside,Outside-glas) source static Local_LAN Local_LAN destination static Remote_LAN Remote_LAN
nat (Inside,Outside-glas) source static NOBSRVDBA001 NOBSRVDBA001 destination static Proloc-acc-1 Proloc-acc-1
nat (Inside,Outside-glas) source static NOBSRVDBA001 NOBSRVDBA001 destination static Proloc-prod-1 Proloc-prod-1
nat (Inside,Outside-glas) source static NOBSRVWEB001 NOBSRVWEB001 destination static Proloc-prod-2 Proloc-prod-2
nat (Inside,Outside-glas) source static NOBSRVWEB002 NOBSRVWEB002 destination static Proloc-acc-2 Proloc-acc-2
nat (Inside,Outside-glas) source static NOBSRVWEB002 NOBSRVWEB002 destination static OneShoe-ontwikkel OneShoe-ontwikkel
nat (Inside,Outside-glas) source static NOBSRVWEB002 NOBSRVWEB002 destination static OneShoe-2 OneShoe-2
nat (Outside-glas,Inside) source static any any destination static Extern-Mailserver MailServer service TCP-LDAPS-636 TCP-LDAPS-636 description LDAPS
nat (Inside,Outside-glas) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_172.31.31.0_28 NETWORK_OBJ_172.31.31.0_28 no-proxy-arp route-lookup
nat (Outside-glas,Inside) source static any any destination static 89.255.2.194 192.168.0.24 service UDP_35060 UDP_35060 description VOIP
nat (Outside-glas,Inside) source static any any destination static 89.255.2.194 192.168.0.24 service UDP_33478 UDP_33478 description VOIP
nat (Outside-glas,Inside) source static any any destination static 89.255.2.194 192.168.0.24 service UDP_16000-17000 UDP_16000-17000 description VOIP
nat (any,Outside-glas) source dynamic any interface
!
object network DC-glas
nat (Inside,Outside-glas) static 89.255.2.195 service tcp ldaps ldaps
object network MailServer-OWA-glas
nat (Inside,Outside-glas) static 89.255.2.195 service tcp https https
object network MailServer-WWW-glas
nat (Inside,Outside-glas) static 89.255.2.195 service tcp www www
object network Mailserver-SMTP
nat (Inside,Outside-glas) static 89.255.2.195 service tcp smtp smtp

amfw01# show nat
Manual NAT Policies (Section 1)
1 (Outside-glas) to (Inside) source static 90.145.69.50 90.145.69.50 destination static 89.255.2.194 192.168.0.23 service TCP_35300 TCP_35300 description VOIP
translate_hits = 0, untranslate_hits = 0
2 (Inside) to (Outside-glas) source static Local_LAN Local_LAN destination static Remote_LAN Remote_LAN
translate_hits = 0, untranslate_hits = 0
3 (Inside) to (Outside-glas) source static NOBSRVDBA001 NOBSRVDBA001 destination static Proloc-acc-1 Proloc-acc-1
translate_hits = 0, untranslate_hits = 0
4 (Inside) to (Outside-glas) source static NOBSRVDBA001 NOBSRVDBA001 destination static Proloc-prod-1 Proloc-prod-1
translate_hits = 0, untranslate_hits = 1669
5 (Inside) to (Outside-glas) source static NOBSRVWEB001 NOBSRVWEB001 destination static Proloc-prod-2 Proloc-prod-2
translate_hits = 1, untranslate_hits = 2434
6 (Inside) to (Outside-glas) source static NOBSRVWEB002 NOBSRVWEB002 destination static Proloc-acc-2 Proloc-acc-2
translate_hits = 0, untranslate_hits = 28
7 (Inside) to (Outside-glas) source static NOBSRVWEB002 NOBSRVWEB002 destination static OneShoe-ontwikkel OneShoe-ontwikkel
translate_hits = 0, untranslate_hits = 0
8 (Inside) to (Outside-glas) source static NOBSRVWEB002 NOBSRVWEB002 destination static OneShoe-2 OneShoe-2
translate_hits = 0, untranslate_hits = 0
9 (Outside-glas) to (Inside) source static any any destination static Extern-Mailserver MailServer service TCP-LDAPS-636 TCP-LDAPS-636 description LDAPS
translate_hits = 710, untranslate_hits = 723
10 (Inside) to (Outside-glas) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_172.31.31.0_28 NETWORK_OBJ_172.31.31.0_28 no-proxy-arp route-lookup
translate_hits = 110, untranslate_hits = 20748
11 (Outside-glas) to (Inside) source static any any destination static 89.255.2.194 192.168.0.24 service UDP_35060 UDP_35060 description VOIP
translate_hits = 1, untranslate_hits = 2
12 (Outside-glas) to (Inside) source static any any destination static 89.255.2.194 192.168.0.24 service UDP_33478 UDP_33478 description VOIP
translate_hits = 0, untranslate_hits = 0
13 (Outside-glas) to (Inside) source static any any destination static 89.255.2.194 192.168.0.24 service UDP_16000-17000 UDP_16000-17000 description VOIP
translate_hits = 0, untranslate_hits = 1
14 (any) to (Outside-glas) source dynamic any interface
translate_hits = 628093, untranslate_hits = 142081

Auto NAT Policies (Section 2)
1 (Inside) to (Outside-glas) source static DC-glas 89.255.2.195 service tcp ldaps ldaps
translate_hits = 0, untranslate_hits = 35
2 (Inside) to (Outside-glas) source static MailServer-OWA-glas 89.255.2.195 service tcp https https
translate_hits = 0, untranslate_hits = 4939
3 (Inside) to (Outside-glas) source static MailServer-WWW-glas 89.255.2.195 service tcp www www
translate_hits = 0, untranslate_hits = 782
4 (Inside) to (Outside-glas) source static Mailserver-SMTP 89.255.2.195 service tcp smtp smtp
translate_hits = 0, untranslate_hits = 1913

You can add the NAT statement and amend preference -

Create a service objct group for SMTP port first of all if you do not have one

nat (Inside,Outside-glas) 13 source static Mailserver-SMTP Mailserver-SMTP destination static "New SMTP Obj Group"  "New SMTP Obj Group"

You want your static NAT to be hit before the following one -

14 (any) to (Outside-glas) source dynamic any interface
translate_hits = 628093, untranslate_hits = 142081

As Safwan has said, you could remove the dynamic NAT, add your static NAT then re-add the dynamic NAT.

All the NATs in section 1 will be processes before your Auto NATs in section 2

I'll try it, but I already did it before I started this topic with no success.

I should have made a mistake.

Once you make amendments and test, post the outputs again.

amfw01# sh run nat
nat (Outside-glas,Inside) source static 90.145.69.50 90.145.69.50 destination static 89.255.2.194 192.168.0.23 service TCP_35300 TCP_35300 description VOIP
nat (Inside,Outside-glas) source static Local_LAN Local_LAN destination static Remote_LAN Remote_LAN
nat (Inside,Outside-glas) source static NOBSRVDBA001 NOBSRVDBA001 destination static Proloc-acc-1 Proloc-acc-1
nat (Inside,Outside-glas) source static NOBSRVDBA001 NOBSRVDBA001 destination static Proloc-prod-1 Proloc-prod-1
nat (Inside,Outside-glas) source static NOBSRVWEB001 NOBSRVWEB001 destination static Proloc-prod-2 Proloc-prod-2
nat (Inside,Outside-glas) source static NOBSRVWEB002 NOBSRVWEB002 destination static Proloc-acc-2 Proloc-acc-2
nat (Inside,Outside-glas) source static NOBSRVWEB002 NOBSRVWEB002 destination static OneShoe-ontwikkel OneShoe-ontwikkel
nat (Inside,Outside-glas) source static NOBSRVWEB002 NOBSRVWEB002 destination static OneShoe-2 OneShoe-2
nat (Outside-glas,Inside) source static any any destination static Extern-Mailserver MailServer service TCP-LDAPS-636 TCP-LDAPS-636 description LDAPS
nat (Inside,Outside-glas) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_172.31.31.0_28 NETWORK_OBJ_172.31.31.0_28 no-proxy-arp route-lookup
nat (Outside-glas,Inside) source static any any destination static 89.255.2.194 192.168.0.24 service UDP_35060 UDP_35060 description VOIP
nat (Outside-glas,Inside) source static any any destination static 89.255.2.194 192.168.0.24 service UDP_33478 UDP_33478 description VOIP
nat (Outside-glas,Inside) source static any any destination static 89.255.2.194 192.168.0.24 service UDP_16000-17000 UDP_16000-17000 description VOIP
nat (Inside,Outside-glas) source static Mailserver-SMTP Mailserver-SMTP destination static MAIL-OUTSIDE MAIL-OUTSIDE description MAIL
nat (any,Outside-glas) source dynamic any interface
!
object network DC-glas
nat (Inside,Outside-glas) static 89.255.2.195 service tcp ldaps ldaps
object network MailServer-OWA-glas
nat (Inside,Outside-glas) static 89.255.2.195 service tcp https https
object network MailServer-WWW-glas
nat (Inside,Outside-glas) static 89.255.2.195 service tcp www www
object network Mailserver-SMTP
nat (Inside,Outside-glas) static 89.255.2.195 service tcp smtp smtp

amfw01# show nat
Manual NAT Policies (Section 1)
1 (Outside-glas) to (Inside) source static 90.145.69.50 90.145.69.50 destination static 89.255.2.194 192.168.0.23 service TCP_35300 TCP_35300 description VOIP
translate_hits = 0, untranslate_hits = 0
2 (Inside) to (Outside-glas) source static Local_LAN Local_LAN destination static Remote_LAN Remote_LAN
translate_hits = 0, untranslate_hits = 0
3 (Inside) to (Outside-glas) source static NOBSRVDBA001 NOBSRVDBA001 destination static Proloc-acc-1 Proloc-acc-1
translate_hits = 0, untranslate_hits = 0
4 (Inside) to (Outside-glas) source static NOBSRVDBA001 NOBSRVDBA001 destination static Proloc-prod-1 Proloc-prod-1
translate_hits = 0, untranslate_hits = 1920
5 (Inside) to (Outside-glas) source static NOBSRVWEB001 NOBSRVWEB001 destination static Proloc-prod-2 Proloc-prod-2
translate_hits = 1, untranslate_hits = 2815
6 (Inside) to (Outside-glas) source static NOBSRVWEB002 NOBSRVWEB002 destination static Proloc-acc-2 Proloc-acc-2
translate_hits = 0, untranslate_hits = 28
7 (Inside) to (Outside-glas) source static NOBSRVWEB002 NOBSRVWEB002 destination static OneShoe-ontwikkel OneShoe-ontwikkel
translate_hits = 0, untranslate_hits = 0
8 (Inside) to (Outside-glas) source static NOBSRVWEB002 NOBSRVWEB002 destination static OneShoe-2 OneShoe-2
translate_hits = 0, untranslate_hits = 0
9 (Outside-glas) to (Inside) source static any any destination static Extern-Mailserver MailServer service TCP-LDAPS-636 TCP-LDAPS-636 description LDAPS
translate_hits = 807, untranslate_hits = 823
10 (Inside) to (Outside-glas) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_172.31.31.0_28 NETWORK_OBJ_172.31.31.0_28 no-proxy-arp route-lookup
translate_hits = 110, untranslate_hits = 20748
11 (Outside-glas) to (Inside) source static any any destination static 89.255.2.194 192.168.0.24 service UDP_35060 UDP_35060 description VOIP
translate_hits = 1, untranslate_hits = 2
12 (Outside-glas) to (Inside) source static any any destination static 89.255.2.194 192.168.0.24 service UDP_33478 UDP_33478 description VOIP
translate_hits = 0, untranslate_hits = 0
13 (Outside-glas) to (Inside) source static any any destination static 89.255.2.194 192.168.0.24 service UDP_16000-17000 UDP_16000-17000 description VOIP
translate_hits = 0, untranslate_hits = 1
14 (Inside) to (Outside-glas) source static Mailserver-SMTP Mailserver-SMTP destination static MAIL-OUTSIDE MAIL-OUTSIDE description MAIL
translate_hits = 0, untranslate_hits = 0
15 (any) to (Outside-glas) source dynamic any interface
translate_hits = 771225, untranslate_hits = 173305

Auto NAT Policies (Section 2)
1 (Inside) to (Outside-glas) source static DC-glas 89.255.2.195 service tcp ldaps ldaps
translate_hits = 0, untranslate_hits = 35
2 (Inside) to (Outside-glas) source static MailServer-OWA-glas 89.255.2.195 service tcp https https
translate_hits = 0, untranslate_hits = 5918
3 (Inside) to (Outside-glas) source static MailServer-WWW-glas 89.255.2.195 service tcp www www
translate_hits = 0, untranslate_hits = 868
4 (Inside) to (Outside-glas) source static Mailserver-SMTP 89.255.2.195 service tcp smtp smtp
translate_hits = 0, untranslate_hits = 2264

Can we see output of

sh run object

sh run object-group

Just to double check - you are looking to create static NAT for Mailserver-SMTP on SMTP Port to 89.255.2.195 ?

I only have objects, no object-groups for this.

object network DC-glas
host 192.168.0.123

object network MailServer
host 192.168.0.123
object network MailServer-OWA
host 192.168.0.123
object network MailServer-WWW
host 192.168.0.123
object network MailServer-OWA-glas
host 192.168.0.123
object network MailServer-WWW-glas
host 192.168.0.123
object network MailServer-glas
host 192.168.0.123
object network Mailserver-SMTP
host 192.168.0.123
object network Extern-Mailserver
host 89.255.2.195
object network MAIL-OUTSIDE
host 89.255.2.195
object service TCP-25
service tcp destination eq smtp

I want the mailserver to have an outside IP-address of 89.255.2.195, because the mailserver is sending mails with the IP-address of the WAN interface.

I would try the following from configuration mode -

no nat (Inside,Outside-glas) source static Mailserver-SMTP Mailserver-SMTP destination static MAIL-OUTSIDE MAIL-OUTSIDE description MAIL
no nat (any,Outside-glas) source dynamic any interface
object network Mailserver-SMTP
 no nat (Inside,Outside-glas) static 89.255.2.195 service tcp smtp smtp
nat (Inside,Outside-glas) source static Mailserver-SMTP Mailserver-SMTP destination static MAIL-OUTSIDE MAIL-OUTSIDE service TCP-25 TCP-25

nat (any, Outside-glas) after-auto source dynamic any interface

This morning I made the change.

It worked!

Thanks!

I added the NAT rule you mentioned.

nat (Inside,Outside-glas) source static Mailserver-SMTP Mailserver-SMTP destination static MAIL-OUTSIDE MAIL-OUTSIDE description MAIL on row 13

I checked the cloud spamfilter, still the same outside IP-address.

Muhammed Safwan
Level 1
Level 1

You have below dynamic statement which matching before your static nat .

nat (any,Outside-glas) source dynamic any interface.

So I would suggest you to change the nat order, First static nat then dynamic nat.

You can simply delete and re-add the dynamic nat statement which will automatically change the nat order or else you can do it manually as well.

Regards,

Safwan

Pls rate helpful posts

Review Cisco Networking for a $25 gift card