We're using (9.2(2)4, which

Jim Mueller · ‎11-23-2015

Hello,

We are migrating to the Symantec email cloud solution and will need to forward all mail arriving from a specific group of IP ranges (currently contained in an object group) to an inside IP (also defined as an obj-group). What is the best practice to accomplish this?

I found this link, http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113024-asa-82-port-forward-00.html#forwarding, specifically the section labeled "Port redirection (Forwarding) with statics". That seems to be what I want... but do I setup the cloud interface to send the SMTP traffic to the public IP of my ASA, or to the public IP defined in the translation rule? I'm assuming the latter?

I've tried the static command listed in the document and it seems to be deprecated in our release (9.2(2)4). Is the NAT syntax below correct?

object-group network SymantecCloudSecuritySvcs
network-object 216.82.240.0 255.255.240.0
network-object 67.219.240.0 255.255.240.0
network-object 85.158.136.0 255.255.248.0
network-object 95.131.104.0 255.255.248.0
network-object 46.226.48.0 255.255.248.0
network-object 117.120.16.0 255.255.248.0
network-object 193.109.254.0 255.255.254.0
network-object 194.106.220.0 255.255.254.0
network-object 195.245.230.0 255.255.254.0
network-object 103.9.96.0 255.255.252.0
object-group network ExchHubArrayXLAT
network-object host PU.BL.IC.IP
object-group network ExchHubArray
network-object host 192.168.0.134
access-list inside-in extended permit tcp object-group ExchHubArrayXLAT object-group SymantecCloudSecuritySvcs eq smtp
access-list internet-in extended permit tcp object-group SymantecCloudSecuritySvcs object-group ExchHubArrayXLAT eq smtp
! static (inside,outside) TCP PU.BL.IC.IP smtp 192.168.0.134 smtp netmask 255.255.255.255
nat inside (inside,outside) source static ExchHubArrayXLAT SMTPIN destination static ExchHubArray SMTPINTRANS

Thanks!

Akshay Rastogi · ‎11-29-2015

Hi Jim,

What ASA version are you running as i am not sure because of the nat statements mentioned in the post. You have mentioned one nat with syntax supported in pre 8.3 and one with post 8.3.

What i have understood from the description is that you wish to forward emails coming from some ip ranges (symantecCloudSecuritySvcs) behind Outside interface to server ip which is behind inside interface.

use the below sample :

version pre 8.3 :

static (inside,outside) tcp <mapped-ip of internal server> 25 <real of internal server> 25 netmask 255.255.255.255

Add accesslist on outside interface from your ip ranges as source and mapped ip as destination ip with port 'eq 25' or eq 443(for web based emails)

post 8.3 :

object net obj-internal server ip

host <real ip of server>

nat (inside,outside) static <mapped-ip> service tcp 25 25

add same thing for 443 if required.

Add accesslist on outside interface from your ip ranges as source and real ip as destination ip with port 'eq 25' or eq 443(for web based emails)

Setup you cloud interface to send the smtp traffic to IP mentioned in translation rule in both the cases.

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

Jim Mueller · ‎11-30-2015

We're using 9.2(2)4, which I mentioned in the original post. Your NAT syntax isn't being accepted, it doesn't like the static option in that position. It seems to want something like this:

nat (inside,outside) source static ...

This is what I have outside of the NAT command, will this work?

object-group network ExchHubArray
description Contains single internal IP of e-mail farm
object-group network ExchHubArrayXLAT
description Contains single public IP for public NAT
object-group network SymantecCloudSecuritySvcs
description Contains Networks used by cloud provider
access-list internet-in extended permit tcp object-group SymantecCloudSecuritySvcs object-group ExchHubArray eq smtp

Akshay Rastogi · ‎11-30-2015

Hi Jim,

I had mentioned statements for both the versions.

Yes, the access-list mentioned is correct. Place the same on Outside interface. Use the below statement for NAT :

object net obj-ExchHubArray

nat (inside,outside) static <mapped-ip- same which is mentioned in ExchHubArrayXLAT > service tcp 25 25

add same thing for 443 if required(for web based email).

Also if this mapped address is in different subnet than Outside interface subnet then give ' arp permit-nonconnected' in configuration terminal mode. With this, ASA would response to ARP request sent by your IPS router.

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

Jim Mueller · ‎12-28-2015

I opened a TAC case to completely answer all my questions.

ASA5515 SMTP port forwarding