Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
767
Views
0
Helpful
5
Replies

ASA STATIC NAT ISSUE

arumugasamy
Level 1
Level 1

‎11-03-2010 10:07 PM - edited ‎03-11-2019 12:04 PM

Pros,

ASA firewall with 3 zones inside,outside,dmz are configured. The front end email server in dmz was natted to the public IP (static NAT) and MX  record also updated.

The firewall outside IP is x.x.x.171 (Public)

Email Nated IP address x.x.x.170 (Public)

show xlate shows global x.x.x.170 local y.y.y.12

y.y.y.12 is email front end server in dmz.

nat(dmz) 1 0.0.0.0

global (ouside) 1 interface

static (dmz,outside) x.x.x.170 y.y.y.12 netmask 255.255.255.255.

ACL applied in outside with required ports are opened.

The issue is that the user get the email and the header shows that it received with public IP x.x.x.171 of firewall outside interface instead of the MX record IP of x.x.x.170.

How can we solve this issue.

sami

Labels:
0 Helpful
5 Replies 5

syedmubarakahmed
Level 1
Level 1

‎11-03-2010 10:46 PM

Hi Sami,

It looks like the issue of Source NAT vs Destination NAT. You have not mentioned the version of your software.

Adding the following line should fix this for you.

static (outside,dmz) y.y.y.12 x.x.x.170 netmask 255.255.255.255

Cheers,

Mubarak

0 Helpful

arumugasamy
Level 1
Level 1
In response to syedmubarakahmed

‎11-04-2010 12:37 AM

Syed,

Should I remove the current static nat and then apply yours and test the status?

0 Helpful

syedmubarakahmed
Level 1
Level 1
In response to arumugasamy

‎11-04-2010 01:45 AM

No don't remove existing NAT. Add this one as well.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to syedmubarakahmed

‎11-04-2010 03:45 AM

Syed, this is incorrect, you shouldn't need to add the following line:

static (outside,dmz) y.y.y.12 x.x.x.170 netmask 255.255.255.255

Arumugasamy, the existing static NAT statement is already sufficient:

static (dmz,outside) x.x.x.170 y.y.y.12 netmask 255.255.255.255

Please kindly perform a "clear xlate" to clear existing connection. You might be using the .171 earlier before configuring the static NAT statement therefore it still uses .171 for outbound mail (as you have nat/global pair statements) for outbound traffic.

0 Helpful

syedmubarakahmed
Level 1
Level 1

‎02-15-2011 08:16 PM

Hi,

You can try creating a more specific NAT to achieve this for outbound traffic.

nat(dmz) 2 y.y.y.12 255.255.255.255

global (ouside) 2 x.x.x.170 netmask 255.255.255.255

Thanks,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card