Solved: Cannot contact public server

miles0001 · ‎07-18-2013

Hi folks,

I've got a new ASA 5512-X, ASA 9.1(2), ASDM 7.1(3)

It seems impossible to define NAT, so I can reach a mail server behind the firewall. My configuration is shown below. From inside out, no problems. But reaching the mail server on 192.168.0.212 from the outside, seems impossible.

Also, the ASDM Public Servers is unusable, if I want to define connections to the IP on the external interface. What IP address should I use, if not the one of outside interface?

Anybody got a clue?

Best regards,

Peter

ASA Version 9.1(2)

!

hostname mygate

domain-name mylocaldomain.local

-----

names

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 95.xxx.xxx.xxx 255.255.255.248

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.0.101 255.255.0.0

!

------

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 172.16.1.1 255.255.255.0

!

boot system disk0:/asa912-smp-k8.bin

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 192.168.0.201

name-server 78.xxx.xxx.xxx

domain-name mylocaldomain.local

object network Server_Mail

host 192.168.0.212

object service SMTP_Service

service tcp destination eq smtp

access-list outside_access_in extended permit object SMTP_Service any object Server_Mail

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo outside

icmp permit any outside

icmp permit any echo-reply outside

icmp permit any time-exceeded outside

icmp permit any unreachable outside

icmp deny any outside

asdm image disk0:/asdm-713.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source dynamic any interface

!

object network Server_Mail

nat (inside,outside) static interface service tcp smtp smtp

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 95.xxx.xxx.yyy 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

-----

!

class-map global-class

match default-inspection-traffic

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect xdmcp

inspect rsh

inspect rtsp

inspect esmtp

inspect sunrpc

inspect netbios

policy-map global-policy

class global-class

inspect icmp

inspect dns

inspect ftp

inspect esmtp

!

service-policy global-policy global

smtp-server 192.168.0.212

prompt hostname context

----

: end

Jouni Forss · ‎07-18-2013

Hi,

The problem is with NAT ordering

Do the following changes

no nat (inside,outside) source dynamic any interface

nat (inside,outside) after-auto source dynamic any interface

Do notice that doing this change removes all existing connections through the firewall to the Internet as the translation is removed and created again.

What the above change actually do is change the priority of your default Dynamic PAT rule.

Now its configured in Section 1 as Manual NAT. This means that it always overrides your Static PAT configuration for mail server which is in Section 2 because its a Network Object NAT

When we add the "after-auto" parameter to the command we move the Dynamic PAT rule to the last section of Section 3 and therefore the Static PAT will start to work.

If you want to read some about the new NAT 8.3+ format then take a look at a document I wrote on the CSC

https://supportforums.cisco.com/docs/DOC-31116

Hope this clarifies things

Please remember to mark a reply the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

View solution in original post

Jouni Forss · ‎07-18-2013

Hi,