ASA static PAT and global NAT

egthkaa20060417 · ‎12-27-2010

How can set the static PAT and global NAT for the same host as the same time

For example, I would like to PAT host A smtp to host B smtp while NAT host A to host C.

static (DMZ,WAN) tcp A smtp B smtp netmask 255.255.255.255

static (LAN,WAN) A C netmask 255.255.255.255

When I try this, I will get the overlapping problem.

Many thanks.

manasjai · ‎12-27-2010

Hi Steven,

You are getting an error because In one static you are specifying DMZ whereas in the other on you are specifying LAN. Which means that the host A is present in both LAN and DMZ and hence the error

Please configure the static as follows :

If the server is on DMZ :

A is the real IP of the server(in DMZ) and B and C are the traslated ip for smtp and other traffic respectively.

static (DMZ,WAN) tcp A smtp B smtp netmask 255.255.255.255

static (DMZ,WAN) A C netmask 255.255.255.255

If the server is on LAN :

A is the real IP of the server (in LAN) and B and C are the traslated ip for smtp and other traffic respectively.

static (LAN,WAN) tcp A smtp B smtp netmask 255.255.255.255

static (LAN,WAN) A C netmask 255.255.255.255

Thanks,

Manasi

egthkaa20060417 · ‎12-27-2010

Hi Manasi,

Actuall, I wan to do this

static (DMZ,WAN) tcp PCCW_Sec_SMTP smtp DMZ_MS01 smtp netmask 255.255.255.255
static (LAN,WAN) PCCW_Sec_SMTP LAN_MS02 netmask 255.255.255.255

where DMZ_MS01 is location in DMZ and LAN_MS02 is in LAN. LAN_MS02 is the backend mail server while DMZ_MS01 is frontend email applicance. I would like to do this, when email reciving from outside, I would like to let the email go the DMZ_MS01 while when email going out from LAN_MS02, I would like to use the address of PCCW_Sec_SMTP.

I got the overlapping problem.

Thanks.

manasjai · ‎12-27-2010

Hi Steven,

If you do a sh run static you would find both the static statements.

Running a packet-tracer would show that when the packet comes on the outside for port 25, it is sent to DMZ and otherwise its sent to LAN.

Could you initiate some real time traffic and check if you are able to send and recv emails.

Cheers,

Manasi!!

egthkaa20060417 · ‎12-27-2010

Hi Manasi,

Actually, the rule I shown you on the previous post is copied from the running config of the ASA. It is working. When email going in, the email will go to DMZ_MS01 and outgoing email from LAN_MS02 will be translated as PCCW_Sec_SMTP. I have posted the question before asking about the overlapping problem and got the answer that the rule really overlapped. Even the rule is ovelapping, it still works and got incoming and outgoing email to and from different address. Because the firewall was configured by my ex-colleague, I don't know how he can config it without error. When I tried to config the similar rule, I got the error and fail to config. Thanks.

manasjai · ‎12-27-2010

Hey Steven,

What we get on configuring that rule is a warning. Its not an error You get a warning something like this : WARNING: mapped-address conflict with existing static.

Both the statics would still show up on sh run static and would work as expected.

The static PAT would take preference over static NAT and hence when the traffic comes on the outside on port 25 would be sent to dmz.

Cheers,

Manasi

egthkaa20060417 · ‎12-27-2010

Hi Manasi,

I tried to change the PAT rule from DMZ_MS01 to DMZ_IronPort, it gave me the warning. And I tried to monitor the email and found that the incoming email will go to LAN_MS02 directly instead of DMZ_MS01. Even I tried to change back the rule, the incoming email will no more go to DMZ_MS01. Pleae help. Thanks.

manasjai · ‎12-27-2010

can you send the output of sh run static | in PCCW_Sec_SMTP

egthkaa20060417 · ‎12-27-2010

Hi Manasi,

Here is part of sh run output

name 202.xx.xx.xx PCCW_Pri_SMTP

name 202.xx.xx.xx PCCW_Sec_SMTP

name 172.16.0.253 DMZ_IronPort

name 172.16.0.25 DMZ_MS01
name 192.168.10.25 LAN_MS02
name 172.16.0.252 DMZ_IronPort_2

static (LAN,WAN) tcp PCCW_Pri_SMTP ftp LAN_MS02 ftp netmask 255.255.255.255
static (LAN,WAN) tcp PCCW_Pri_SMTP ssh LAN_MS02 ssh netmask 255.255.255.255
static (LAN,WAN) tcp PCCW_Pri_SMTP 27 LAN_MS02 27 netmask 255.255.255.255
static (LAN,WAN) tcp PCCW_Pri_SMTP domain LAN_MS02 domain netmask 255.255.255.255
static (LAN,WAN) udp PCCW_Pri_SMTP domain LAN_MS02 domain netmask 255.255.255.255
static (LAN,WAN) tcp PCCW_Pri_SMTP www LAN_MS02 www netmask 255.255.255.255
static (LAN,WAN) tcp PCCW_Sec_SMTP 2525 LAN_MS02 smtp netmask 255.255.255.255
static (DMZ,WAN) tcp PCCW_Sec_Webmail https DMZ_MS01 https netmask 255.255.255.255
static (DMZ,WAN) tcp PCCW_Sec_SMTP ftp DMZ_MS01 ftp netmask 255.255.255.255
static (DMZ,WAN) tcp PCCW_Sec_SMTP ssh DMZ_MS01 ssh netmask 255.255.255.255
static (DMZ,WAN) tcp PCCW_Sec_SMTP 27 DMZ_MS01 27 netmask 255.255.255.255
static (DMZ,WAN) tcp PCCW_Sec_SMTP domain DMZ_MS01 domain netmask 255.255.255.255
static (DMZ,WAN) tcp PCCW_Sec_SMTP www DMZ_MS01 www netmask 255.255.255.255
static (DMZ,WAN) tcp PCCW_Pri_SMTP smtp DMZ_IronPort_2 smtp netmask 255.255.255.255
static (DMZ,WAN) tcp PCCW_Sec_SMTP smtp DMZ_MS01 smtp netmask 255.255.255.255
static (LAN,DMZ) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (DMZ,LAN) 172.16.0.0 172.16.0.0 netmask 255.255.255.0
static (LAN,WAN) PCCW_Sec_SMTP LAN_MS02 netmask 255.255.255.255

Thanks.

manasjai · ‎12-27-2010

static (DMZ,WAN) tcp PCCW_Pri_SMTP smtp DMZ_IronPort_2 smtp netmask 255.255.255.255
static (DMZ,WAN) tcp PCCW_Sec_SMTP smtp DMZ_MS01 smtp netmask 255.255.255.255
static (LAN,WAN) PCCW_Sec_SMTP LAN_MS02 netmask 255.255.255.255

The configuration is good!!

how does the output of packet-tracer look ? (as in what is the egress interface?)

packet-tracer input outside tcp 1.1.1.1 1024 < IP of PCCW_Pri_SMTP> 25 detailed

packet-tracer input outside tcp 1.1.1.1 1024 25 detailed

I am assuming that the packet is coming for the correct destination IP address.

after having a look at this output, we can apply a few captures on the interfaces

Thanks,

Manasi

egthkaa20060417 · ‎12-27-2010

Hi Manasi,

Here is the output:

ciscoasa# packet-tracer input WAN tcp 1.1.1.1 1024 202.xx.xx.xx 25 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3b116a0, priority=1, domain=permit, deny=false
        hits=475430676, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (DMZ,WAN) tcp PCCW_Pri_SMTP smtp DMZ_IronPort_2 smtp netmask 255.255.255.255
match tcp DMZ host DMZ_IronPort_2 eq 25 WAN any
static translation to PCCW_Pri_SMTP/25
translate_hits = 0, untranslate_hits = 92100
Additional Information:
NAT divert to egress interface DMZ
Untranslate PCCW_Pri_SMTP/25 to DMZ_IronPort_2/25 using netmask 255.255.255.255

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group WAN_access_in in interface WAN
access-list WAN_access_in extended permit tcp any host PCCW_Pri_SMTP object-group TCPforMailServices
object-group service TCPforMailServices tcp
port-object range ftp ssh
port-object range smtp smtp
port-object range 27 27
port-object range domain domain
port-object range www www
port-object eq https
port-object range 2525 2525
port-object range 50 51
port-object range 7781 7781
port-object range sqlnet sqlnet
port-object range 10000 10025
port-object range pop3 pop3
port-object range 135 135
port-object range 1600 1600
port-object range 3268 3268
port-object eq ldap
port-object range 691 691
port-object range 88 88
port-object range 500 500
port-object range 8080 8080
port-object range 8000 8000
port-object range 1080 1080
port-object range 6118 6118
port-object range 8009 8009
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3c57b20, priority=12, domain=permit, deny=false
        hits=91951, user_data=0x3c57ae0, cs_id=0x0, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0,
        dst ip=PCCW_Pri_SMTP, mask=255.255.255.255,
        dport range<0> : 25-25

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3b13da8, priority=0, domain=permit-ip-option, deny=true
        hits=13423668, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (DMZ,WAN) tcp PCCW_Pri_SMTP smtp DMZ_IronPort_2 smtp netmask 255.255.255.255
match tcp DMZ host DMZ_IronPort_2 eq 25 WAN any
    static translation to PCCW_Pri_SMTP/25
    translate_hits = 0, untranslate_hits = 92100
Additional Information:
Forward Flow based lookup yields rule:
out id=0x3c443c0, priority=5, domain=nat-reverse, deny=false
        hits=92096, user_data=0x3c424c8, cs_id=0x0, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=DMZ_IronPort_2, mask=255.255.255.255, port=25

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (DMZ,WAN) tcp PCCW_Pri_SMTP smtp DMZ_IronPort_2 smtp netmask 255.255.255.255
match tcp DMZ host DMZ_IronPort_2 eq 25 WAN any
    static translation to PCCW_Pri_SMTP/25
    translate_hits = 0, untranslate_hits = 92100
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x3c41ca8, priority=5, domain=host, deny=false
        hits=3760590, user_data=0x3c424c8, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=DMZ_IronPort_2, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x3b41f30, priority=0, domain=permit-ip-option, deny=true
        hits=106356792, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 122094278, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 10
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop DMZ_IronPort_2 using egress ifc DMZ
adjacency Active
next-hop mac address 001d.09fb.ed75 hits 2792

Result:
input-interface: WAN
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow

ciscoasa# packet-tracer input WAN tcp 1.1.1.1 1024 202.xx.xx.xx 25 detailed

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (LAN,WAN) PCCW_Sec_SMTP LAN_MS02 netmask 255.255.255.255
match ip LAN host LAN_MS02 WAN any
static translation to PCCW_Sec_SMTP
translate_hits = 11049, untranslate_hits = 6925
Additional Information:
NAT divert to egress interface LAN
Untranslate PCCW_Sec_SMTP/0 to LAN_MS02/0 using netmask 255.255.255.255

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group WAN_access_in in interface WAN
access-list WAN_access_in extended permit tcp any host PCCW_Sec_SMTP eq smtp log
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3c51848, priority=12, domain=permit, deny=false
        hits=111634, user_data=0x3c51808, cs_id=0x0, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=PCCW_Sec_SMTP, mask=255.255.255.255, port=25

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3b13da8, priority=0, domain=permit-ip-option, deny=true
        hits=13424508, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (LAN,WAN) tcp PCCW_Sec_SMTP 2525 LAN_MS02 smtp netmask 255.255.255.255
match tcp LAN host LAN_MS02 eq 25 WAN any
    static translation to PCCW_Sec_SMTP/2525
    translate_hits = 0, untranslate_hits = 1403
Additional Information:
Forward Flow based lookup yields rule:
out id=0x3c27108, priority=5, domain=nat-reverse, deny=false
        hits=1480, user_data=0x3c267a0, cs_id=0x0, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=LAN_MS02, mask=255.255.255.255, port=25

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (LAN,WAN) tcp PCCW_Pri_SMTP ftp LAN_MS02 ftp netmask 255.255.255.255
match tcp LAN host LAN_MS02 eq 21 WAN any
    static translation to PCCW_Pri_SMTP/21
    translate_hits = 0, untranslate_hits = 228
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x3b53590, priority=5, domain=host, deny=false
        hits=98641958, user_data=0x3c29d08, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=LAN_MS02, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x3ae51a0, priority=0, domain=permit-ip-option, deny=true
        hits=117677122, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 122095323, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 9
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop LAN_MS02 using egress ifc LAN
adjacency Active
next-hop mac address 0018.8b33.d043 hits 21

Result:
input-interface: WAN
input-status: up
input-line-status: up
output-interface: LAN
output-status: up
output-line-status: up
Action: allow

csaxena · ‎12-28-2010

Hi Steven,

If the following is in place, the egress interface for the second packet tracer should be DMZ and not LAN.

static (DMZ,WAN) tcp PCCW_Sec_SMTP smtp DMZ_MS01 smtp netmask 255.255.255.255

I am not sure why is it taking LAN in the second packet tracer output.

I request you to do the following :

clear xlate

no static (DMZ,WAN) tcp PCCW_Sec_SMTP smtp DMZ_MS01 smtp netmask 255.255.255.255

static (DMZ,WAN) tcp PCCW_Sec_SMTP smtp DMZ_MS01 smtp netmask 255.255.255.255

Thanks,

Chirag

egthkaa20060417 · ‎12-28-2010

Hi Chirag,

After I tried your command, the result is same. Thanks.

Kureli Sankar · ‎12-28-2010

Stevan,

Most of the times people try to receive e-mail with their server on the dmz and it cleans up and sends it to the inside server. Now when mail gets sent out they send it directly from the server on the inside. Inside server only sends outbound and dmz server only receives inbound. Is this what you are trying to do?

If so you can accomplish that with the following:

static (DMZ,WAN) tcp PCCW_Pri_SMTP smtp DMZ_IronPort_2 smtp netmask 255.255.255.255

nat (LAN) 100 LAN_MS02 255.255.255.255

global (WAN) 100 PCCW_Pri_SMTP

-KS

egthkaa20060417 · ‎12-28-2010

Hi all,

I found out what is the source of the problem. The problem is the order I enter the rule. When I tried to run

no static (DMZ,WAN) tcp PCCW_Sec_SMTP smtp DMZ_MS01 smtp netmask 255.255.255.255

static (DMZ,WAN) tcp PCCW_Sec_SMTP smtp DMZ_IronPort smtp netmask 255.255.255.255

clear xlate

This rule will be below the rule static (LAN,WAN) PCCW_Sec_SMTP LAN_MS02 netmask 255.255.255.255

so, the result will not be what I wanted.

I need to run

no static (DMZ,WAN) tcp PCCW_Sec_SMTP smtp DMZ_MS01 smtp netmask 255.255.255.255

no static (LAN,WAN) PCCW_Sec_SMTP LAN_MS02 netmask 255.255.255.255

static (DMZ,WAN) tcp PCCW_Sec_SMTP smtp DMZ_IronPort smtp netmask 255.255.255.255

static (LAN,WAN) PCCW_Sec_SMTP LAN_MS02 netmask 255.255.255.255

clear xlate

Then the incoming email will go to the IronPort while outgoing email will go directly from the server LAN_MS02 with the address translated to PCCW__Sec_SMTP.

I will have a look for a period before confirming the solution.

Thanks for all you.