Solved: ASA5505: help with portmapping -> nat and vlan

ccnetccnet · ‎09-29-2011

hello,

i hope someone can help me with this configuration:

outside with 1 public ip, security 0

inside with 128 public ips, security 50

vlan with private ips, security 50

i want to map for outside-mail port 25 on the inside .138 to the vlan with a private ip .5

internet -> ouside -> ASA <- inside public ip

<- vlan: inside private

access-list outside_access_in extended permit tcp any object obj_138 eq 25
access-list inside_access_in extended permit ip any any
access-list vlan_access_in extended permit ip any any
nat (inside,outside) source static net_128 net_128 destination static obj_any obj_any
object network net_vlan

 nat (vlan,outside) dynamic interface

??

object network obj_private_5
 nat (vlan,inside) static obj_138 service tcp 25 25

??

access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group vlan_access_in in interface vlan

same-security-traffic permit inter-interface

i am not sure if this is possible and how to set the nat.

any help is welcom

thanks

e.kiefer

varrao · ‎09-30-2011

Hi Dominic,

In ASA 8.3 or later, you need to specify the private ip address of the server on the outside access-list rather than the public ip, so yes you would need to use the access-list that I mentioned:

Secondly, the NAT statements in the configuration is not correct, they arer conflicting:

In your config you have:

nat (inside,outside) source static net_128 net_128 destination static obj_any obj_any

nat (inside,outside) source static net_128 net_128 destination static Roadis_CCNet Roadis_CCNet

nat (inside,outside) source static consel_server consel_server destination static Roadis_Consel Roadis_Consel

nat (inside,outside) source static consel_server consel_server destination static netz_Consel_LanggÃ¶ns netz_Consel_LanggÃ¶ns

nat (inside,outside) source static netz_euratio-gi netz_euratio-gi destination static netz_euratio-ffm netz_euratio-ffm

nat (vlan,outside) source static obj_private_5 net_128 service tcp_25 tcp_25

nat (vlan,inside) source static obj_private_5 obj_138 service tcp_25 tcp_25

The nats in bold are conflicting. To resolve it, the first nat statement should be at the bottom, otherwise everytime only the first nat statement woudl be hit and the second nat statement would never hit.

It shoudl be:

nat (inside,outside) source static net_128 net_128 destination static Roadis_CCNet Roadis_CCNet

nat (inside,outside) source static consel_server consel_server destination static Roadis_Consel Roadis_Consel

nat (inside,outside) source static consel_server consel_server destination static netz_Consel_LanggÃ¶ns netz_Consel_LanggÃ¶ns

nat (inside,outside) source static netz_euratio-gi netz_euratio-gi destination static netz_euratio-ffm netz_euratio-ffm

nat (vlan,outside) source static obj_private_5 net_128 service tcp_25 tcp_25

nat (vlan,inside) source static obj_private_5 obj_138 service tcp_25 tcp_25

nat (inside,outside) source static net_128 net_128 destination static obj_any obj_any

Now, both nat statement should work. If the traffic for port 25 comes, then it woudl be redirected to the private serevr in vlan interface. So you would need to delete the first nat statement and then re-add it, so that it gets added at the bottom.

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎09-29-2011

Hi Dominic,

Can you send the output of "show run object" as well, this would help. I am not sure but some of the nat statements do not seem correct.

Thanks,
Varun Rao

ccnetccnet · ‎09-29-2011

hi varun,

thanks for your reply.

the output is:

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network net_128

subnet xxx.xxx.220.128 255.255.255.128

object network net_vlan

subnet 192.168.23.0 255.255.255.0

object network obj_138

host xxx.xxx.220.138

object network obj_private_5

host 192.168.23.5

varrao · ‎09-29-2011

Hi Dominic,

As far as I understand, you have a mail server on the vlan interface of the ASA, and you want to access it from the outside and the inside on ip xxx.xxx.220.138, the private ip of the server is 192.168.23.5. You want to access internet as well from the vlan interface. You would need the following:

If it is not correct, kindly let me know your requirement in a bit more detail.

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network net_128

subnet xxx.xxx.220.128 255.255.255.128

object network net_vlan

subnet 192.168.23.0 255.255.255.0

object network obj_138

host xxx.xxx.220.138

object network obj_private_5

host 192.168.23.5

object service tcp_25

service tcp source eq 25

nat (vlan,outside) source static obj_private_5 net_128 service tcp_25 tcp_25

object network net_vlan

nat (vlan,outside) dynamic interface

nat (vlan,inside) source static obj_private_5 obj_138 service tcp_25 tcp_25

access-list outside_access_in extended permit tcp any 192.168.23.5 eq 25

access-list inside_access_in extended permit ip any any

access-list vlan_access_in extended permit ip any any

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group vlan_access_in in interface vlan

same-security-traffic permit inter-interface

Thanks,
Varun Rao

ccnetccnet · ‎09-29-2011

hi

we have a mailserver with one nic and the private ip.

from outside it should be reached on the inside ip .138 that maps to vlan private ip.

on ip .138 there is no server nic, just the asa.

(simple would be to give the server a second nic with the .138, but that is not allowed on microsoft sbs2011.)

so is this possible with the asa5505 security plus license?

i tried your configuration but without success so far.

the log ist showing the request, but then comes a teardown:

6 Sep 29 2011 18:09:40 302013 xxx.xxx.124.255 24402 xxx.xxx.220.138 25 Built inbound TCP connection 2319579 for outside:xxx.xxx.124.255/24402 (xxx.xxx.124.255/24402) to inside:xxx.xxx.220.138/25 (xxx.xxx.220.138/25)

thank you in advance

varrao · ‎09-29-2011

Can you provide teh complete configuration??? you can change the ip's if you want. Moreover, is the server beind teh isnide interface or the vlan interface???

Varun

Thanks,
Varun Rao

ccnetccnet · ‎09-30-2011

hey varun,

the server is behind the vlan interface. (i have sent the complete config via pm)

you have posted me:

access-list outside_access_in extended permit tcp any 192.168.23.5 eq 25

in the config i have:

access-list outside_access_in extended permit tcp any host 192.168.23.5 eq 25

that is right, yes?

thank you!

varrao · ‎09-30-2011