Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
812
Views
0
Helpful
12
Replies

ASA outside overrides source NAT

Erik Boss
Level 1
Level 1

‎07-21-2017 12:20 AM - edited ‎03-12-2019 02:43 AM

Hi,

I have a strange situation I'll explain.

Several days ago a customer got their new internetconnection, /30 for WAN and a routed /29 subnet.

My colleague went to the customer, changed everything and everything worked well.

Now we used one IP-address from the routed subnet for natting to our cloud.

After the change we saw in the mailheader the outside IP-address in stead of the routed IP-address.

In my opinion NAT goes before routing and no route lookup is enabled.

nat (Outside-glas,Inside) source static any any destination static Extern-Mailserver MailServer service smtp smtp 

and I tried

object network Mailserver-SMTP
nat (Inside,Outside-glas) static 89.255.2.195 service tcp smtp smtp

Also when I start a packet tracer, routing goes through the outside interface.

Return traffic is natted correctly.

When I capture it, I receive a nop nop, so it's not operational, why?

The ASA version 8.4(2) should work well with this configuration.

Labels:
0 Helpful
12 Replies 12

GRANT3779
Spotlight
Spotlight

‎07-21-2017 07:23 AM

Do you have other NAT configuration on the ASA?

Can you post output of the following commands

show nat

show run nat

Thanks

0 Helpful

Erik Boss
Level 1
Level 1
In response to GRANT3779

‎07-25-2017 12:33 AM

show run nat

nat (Outside-glas,Inside) source static 90.145.69.50 90.145.69.50 destination static 89.255.2.194 192.168.0.23 service TCP_35300 TCP_35300 description VOIP
nat (Inside,Outside-glas) source static Local_LAN Local_LAN destination static Remote_LAN Remote_LAN
nat (Inside,Outside-glas) source static NOBSRVDBA001 NOBSRVDBA001 destination static Proloc-acc-1 Proloc-acc-1
nat (Inside,Outside-glas) source static NOBSRVDBA001 NOBSRVDBA001 destination static Proloc-prod-1 Proloc-prod-1
nat (Inside,Outside-glas) source static NOBSRVWEB001 NOBSRVWEB001 destination static Proloc-prod-2 Proloc-prod-2
nat (Inside,Outside-glas) source static NOBSRVWEB002 NOBSRVWEB002 destination static Proloc-acc-2 Proloc-acc-2
nat (Inside,Outside-glas) source static NOBSRVWEB002 NOBSRVWEB002 destination static OneShoe-ontwikkel OneShoe-ontwikkel
nat (Inside,Outside-glas) source static NOBSRVWEB002 NOBSRVWEB002 destination static OneShoe-2 OneShoe-2
nat (Outside-glas,Inside) source static any any destination static Extern-Mailserver MailServer service TCP-LDAPS-636 TCP-LDAPS-636 description LDAPS
nat (Inside,Outside-glas) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_172.31.31.0_28 NETWORK_OBJ_172.31.31.0_28 no-proxy-arp route-lookup
nat (Outside-glas,Inside) source static any any destination static 89.255.2.194 192.168.0.24 service UDP_35060 UDP_35060 description VOIP
nat (Outside-glas,Inside) source static any any destination static 89.255.2.194 192.168.0.24 service UDP_33478 UDP_33478 description VOIP
nat (Outside-glas,Inside) source static any any destination static 89.255.2.194 192.168.0.24 service UDP_16000-17000 UDP_16000-17000 description VOIP
nat (any,Outside-glas) source dynamic any interface
!
object network DC-glas
nat (Inside,Outside-glas) static 89.255.2.195 service tcp ldaps ldaps
object network MailServer-OWA-glas
nat (Inside,Outside-glas) static 89.255.2.195 service tcp https https
object network MailServer-WWW-glas
nat (Inside,Outside-glas) static 89.255.2.195 service tcp www www
object network Mailserver-SMTP
nat (Inside,Outside-glas) static 89.255.2.195 service tcp smtp smtp

amfw01# show nat
Manual NAT Policies (Section 1)
1 (Outside-glas) to (Inside) source static 90.145.69.50 90.145.69.50 destination static 89.255.2.194 192.168.0.23 service TCP_35300 TCP_35300 description VOIP
translate_hits = 0, untranslate_hits = 0
2 (Inside) to (Outside-glas) source static Local_LAN Local_LAN destination static Remote_LAN Remote_LAN
translate_hits = 0, untranslate_hits = 0
3 (Inside) to (Outside-glas) source static NOBSRVDBA001 NOBSRVDBA001 destination static Proloc-acc-1 Proloc-acc-1
translate_hits = 0, untranslate_hits = 0
4 (Inside) to (Outside-glas) source static NOBSRVDBA001 NOBSRVDBA001 destination static Proloc-prod-1 Proloc-prod-1
translate_hits = 0, untranslate_hits = 1669
5 (Inside) to (Outside-glas) source static NOBSRVWEB001 NOBSRVWEB001 destination static Proloc-prod-2 Proloc-prod-2
translate_hits = 1, untranslate_hits = 2434
6 (Inside) to (Outside-glas) source static NOBSRVWEB002 NOBSRVWEB002 destination static Proloc-acc-2 Proloc-acc-2
translate_hits = 0, untranslate_hits = 28
7 (Inside) to (Outside-glas) source static NOBSRVWEB002 NOBSRVWEB002 destination static OneShoe-ontwikkel OneShoe-ontwikkel
translate_hits = 0, untranslate_hits = 0
8 (Inside) to (Outside-glas) source static NOBSRVWEB002 NOBSRVWEB002 destination static OneShoe-2 OneShoe-2
translate_hits = 0, untranslate_hits = 0
9 (Outside-glas) to (Inside) source static any any destination static Extern-Mailserver MailServer service TCP-LDAPS-636 TCP-LDAPS-636 description LDAPS
translate_hits = 710, untranslate_hits = 723
10 (Inside) to (Outside-glas) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_172.31.31.0_28 NETWORK_OBJ_172.31.31.0_28 no-proxy-arp route-lookup
translate_hits = 110, untranslate_hits = 20748
11 (Outside-glas) to (Inside) source static any any destination static 89.255.2.194 192.168.0.24 service UDP_35060 UDP_35060 description VOIP
translate_hits = 1, untranslate_hits = 2
12 (Outside-glas) to (Inside) source static any any destination static 89.255.2.194 192.168.0.24 service UDP_33478 UDP_33478 description VOIP
translate_hits = 0, untranslate_hits = 0
13 (Outside-glas) to (Inside) source static any any destination static 89.255.2.194 192.168.0.24 service UDP_16000-17000 UDP_16000-17000 description VOIP
translate_hits = 0, untranslate_hits = 1
14 (any) to (Outside-glas) source dynamic any interface
translate_hits = 628093, untranslate_hits = 142081

Auto NAT Policies (Section 2)
1 (Inside) to (Outside-glas) source static DC-glas 89.255.2.195 service tcp ldaps ldaps
translate_hits = 0, untranslate_hits = 35
2 (Inside) to (Outside-glas) source static MailServer-OWA-glas 89.255.2.195 service tcp https https
translate_hits = 0, untranslate_hits = 4939
3 (Inside) to (Outside-glas) source static MailServer-WWW-glas 89.255.2.195 service tcp www www
translate_hits = 0, untranslate_hits = 782
4 (Inside) to (Outside-glas) source static Mailserver-SMTP 89.255.2.195 service tcp smtp smtp
translate_hits = 0, untranslate_hits = 1913

0 Helpful

GRANT3779
Spotlight
Spotlight
In response to Erik Boss

‎07-25-2017 01:32 AM

You can add the NAT statement and amend preference -

Create a service objct group for SMTP port first of all if you do not have one

nat (Inside,Outside-glas) 13 source static Mailserver-SMTP Mailserver-SMTP destination static "New SMTP Obj Group"  "New SMTP Obj Group"

You want your static NAT to be hit before the following one -

14 (any) to (Outside-glas) source dynamic any interface
translate_hits = 628093, untranslate_hits = 142081

As Safwan has said, you could remove the dynamic NAT, add your static NAT then re-add the dynamic NAT.

All the NATs in section 1 will be processes before your Auto NATs in section 2

0 Helpful

Erik Boss
Level 1
Level 1
In response to GRANT3779

‎07-26-2017 12:44 AM

I'll try it, but I already did it before I started this topic with no success.

I should have made a mistake.

0 Helpful

GRANT3779
Spotlight
Spotlight
In response to Erik Boss

‎07-26-2017 01:02 AM

Once you make amendments and test, post the outputs again.

0 Helpful

Erik Boss
Level 1
Level 1
In response to GRANT3779

‎07-26-2017 01:49 AM

amfw01# sh run nat
nat (Outside-glas,Inside) source static 90.145.69.50 90.145.69.50 destination static 89.255.2.194 192.168.0.23 service TCP_35300 TCP_35300 description VOIP
nat (Inside,Outside-glas) source static Local_LAN Local_LAN destination static Remote_LAN Remote_LAN
nat (Inside,Outside-glas) source static NOBSRVDBA001 NOBSRVDBA001 destination static Proloc-acc-1 Proloc-acc-1
nat (Inside,Outside-glas) source static NOBSRVDBA001 NOBSRVDBA001 destination static Proloc-prod-1 Proloc-prod-1
nat (Inside,Outside-glas) source static NOBSRVWEB001 NOBSRVWEB001 destination static Proloc-prod-2 Proloc-prod-2
nat (Inside,Outside-glas) source static NOBSRVWEB002 NOBSRVWEB002 destination static Proloc-acc-2 Proloc-acc-2
nat (Inside,Outside-glas) source static NOBSRVWEB002 NOBSRVWEB002 destination static OneShoe-ontwikkel OneShoe-ontwikkel
nat (Inside,Outside-glas) source static NOBSRVWEB002 NOBSRVWEB002 destination static OneShoe-2 OneShoe-2
nat (Outside-glas,Inside) source static any any destination static Extern-Mailserver MailServer service TCP-LDAPS-636 TCP-LDAPS-636 description LDAPS
nat (Inside,Outside-glas) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_172.31.31.0_28 NETWORK_OBJ_172.31.31.0_28 no-proxy-arp route-lookup
nat (Outside-glas,Inside) source static any any destination static 89.255.2.194 192.168.0.24 service UDP_35060 UDP_35060 description VOIP
nat (Outside-glas,Inside) source static any any destination static 89.255.2.194 192.168.0.24 service UDP_33478 UDP_33478 description VOIP
nat (Outside-glas,Inside) source static any any destination static 89.255.2.194 192.168.0.24 service UDP_16000-17000 UDP_16000-17000 description VOIP
nat (Inside,Outside-glas) source static Mailserver-SMTP Mailserver-SMTP destination static MAIL-OUTSIDE MAIL-OUTSIDE description MAIL
nat (any,Outside-glas) source dynamic any interface
!
object network DC-glas
nat (Inside,Outside-glas) static 89.255.2.195 service tcp ldaps ldaps
object network MailServer-OWA-glas
nat (Inside,Outside-glas) static 89.255.2.195 service tcp https https
object network MailServer-WWW-glas
nat (Inside,Outside-glas) static 89.255.2.195 service tcp www www
object network Mailserver-SMTP
nat (Inside,Outside-glas) static 89.255.2.195 service tcp smtp smtp

amfw01# show nat
Manual NAT Policies (Section 1)
1 (Outside-glas) to (Inside) source static 90.145.69.50 90.145.69.50 destination static 89.255.2.194 192.168.0.23 service TCP_35300 TCP_35300 description VOIP
translate_hits = 0, untranslate_hits = 0
2 (Inside) to (Outside-glas) source static Local_LAN Local_LAN destination static Remote_LAN Remote_LAN
translate_hits = 0, untranslate_hits = 0
3 (Inside) to (Outside-glas) source static NOBSRVDBA001 NOBSRVDBA001 destination static Proloc-acc-1 Proloc-acc-1
translate_hits = 0, untranslate_hits = 0
4 (Inside) to (Outside-glas) source static NOBSRVDBA001 NOBSRVDBA001 destination static Proloc-prod-1 Proloc-prod-1
translate_hits = 0, untranslate_hits = 1920
5 (Inside) to (Outside-glas) source static NOBSRVWEB001 NOBSRVWEB001 destination static Proloc-prod-2 Proloc-prod-2
translate_hits = 1, untranslate_hits = 2815
6 (Inside) to (Outside-glas) source static NOBSRVWEB002 NOBSRVWEB002 destination static Proloc-acc-2 Proloc-acc-2
translate_hits = 0, untranslate_hits = 28
7 (Inside) to (Outside-glas) source static NOBSRVWEB002 NOBSRVWEB002 destination static OneShoe-ontwikkel OneShoe-ontwikkel
translate_hits = 0, untranslate_hits = 0
8 (Inside) to (Outside-glas) source static NOBSRVWEB002 NOBSRVWEB002 destination static OneShoe-2 OneShoe-2
translate_hits = 0, untranslate_hits = 0
9 (Outside-glas) to (Inside) source static any any destination static Extern-Mailserver MailServer service TCP-LDAPS-636 TCP-LDAPS-636 description LDAPS
translate_hits = 807, untranslate_hits = 823
10 (Inside) to (Outside-glas) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_172.31.31.0_28 NETWORK_OBJ_172.31.31.0_28 no-proxy-arp route-lookup
translate_hits = 110, untranslate_hits = 20748
11 (Outside-glas) to (Inside) source static any any destination static 89.255.2.194 192.168.0.24 service UDP_35060 UDP_35060 description VOIP
translate_hits = 1, untranslate_hits = 2
12 (Outside-glas) to (Inside) source static any any destination static 89.255.2.194 192.168.0.24 service UDP_33478 UDP_33478 description VOIP
translate_hits = 0, untranslate_hits = 0
13 (Outside-glas) to (Inside) source static any any destination static 89.255.2.194 192.168.0.24 service UDP_16000-17000 UDP_16000-17000 description VOIP
translate_hits = 0, untranslate_hits = 1
14 (Inside) to (Outside-glas) source static Mailserver-SMTP Mailserver-SMTP destination static MAIL-OUTSIDE MAIL-OUTSIDE description MAIL
translate_hits = 0, untranslate_hits = 0
15 (any) to (Outside-glas) source dynamic any interface
translate_hits = 771225, untranslate_hits = 173305

Auto NAT Policies (Section 2)
1 (Inside) to (Outside-glas) source static DC-glas 89.255.2.195 service tcp ldaps ldaps
translate_hits = 0, untranslate_hits = 35
2 (Inside) to (Outside-glas) source static MailServer-OWA-glas 89.255.2.195 service tcp https https
translate_hits = 0, untranslate_hits = 5918
3 (Inside) to (Outside-glas) source static MailServer-WWW-glas 89.255.2.195 service tcp www www
translate_hits = 0, untranslate_hits = 868
4 (Inside) to (Outside-glas) source static Mailserver-SMTP 89.255.2.195 service tcp smtp smtp
translate_hits = 0, untranslate_hits = 2264

0 Helpful

GRANT3779
Spotlight
Spotlight
In response to Erik Boss

‎07-26-2017 02:48 AM

Can we see output of

sh run object

sh run object-group

Just to double check - you are looking to create static NAT for Mailserver-SMTP on SMTP Port to 89.255.2.195 ?

0 Helpful

Erik Boss
Level 1
Level 1
In response to GRANT3779

‎07-26-2017 04:25 AM

I only have objects, no object-groups for this.

object network DC-glas
host 192.168.0.123

object network MailServer
host 192.168.0.123
object network MailServer-OWA
host 192.168.0.123
object network MailServer-WWW
host 192.168.0.123
object network MailServer-OWA-glas
host 192.168.0.123
object network MailServer-WWW-glas
host 192.168.0.123
object network MailServer-glas
host 192.168.0.123
object network Mailserver-SMTP
host 192.168.0.123
object network Extern-Mailserver
host 89.255.2.195
object network MAIL-OUTSIDE
host 89.255.2.195
object service TCP-25
service tcp destination eq smtp

I want the mailserver to have an outside IP-address of 89.255.2.195, because the mailserver is sending mails with the IP-address of the WAN interface.

0 Helpful

GRANT3779
Spotlight
Spotlight
In response to Erik Boss

‎07-26-2017 05:16 AM

I would try the following from configuration mode -

no nat (Inside,Outside-glas) source static Mailserver-SMTP Mailserver-SMTP destination static MAIL-OUTSIDE MAIL-OUTSIDE description MAIL
no nat (any,Outside-glas) source dynamic any interface
object network Mailserver-SMTP
 no nat (Inside,Outside-glas) static 89.255.2.195 service tcp smtp smtp
nat (Inside,Outside-glas) source static Mailserver-SMTP Mailserver-SMTP destination static MAIL-OUTSIDE MAIL-OUTSIDE service TCP-25 TCP-25

nat (any, Outside-glas) after-auto source dynamic any interface
0 Helpful

Erik Boss
Level 1
Level 1
In response to GRANT3779

‎07-27-2017 04:44 AM

This morning I made the change.

It worked!

Thanks!

0 Helpful

Erik Boss
Level 1
Level 1
In response to Erik Boss

‎07-26-2017 01:42 AM

I added the NAT rule you mentioned.

nat (Inside,Outside-glas) source static Mailserver-SMTP Mailserver-SMTP destination static MAIL-OUTSIDE MAIL-OUTSIDE description MAIL on row 13

I checked the cloud spamfilter, still the same outside IP-address.

0 Helpful

Muhammed Safwan
Level 1
Level 1

‎07-25-2017 01:17 AM

You have below dynamic statement which matching before your static nat .

nat (any,Outside-glas) source dynamic any interface.

So I would suggest you to change the nat order, First static nat then dynamic nat.

You can simply delete and re-add the dynamic nat statement which will automatically change the nat order or else you can do it manually as well.

Regards,

Safwan

Pls rate helpful posts

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card