cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2195
Views
0
Helpful
4
Replies

Cisco ASA 5510 version 9.1 Nat to the Outside for Email Server

johnhuston
Level 1
Level 1

I have researched in the forums here and I cannot find the answer.  Probably my lack of being able to use the search function correctly.

Problem:

I need to nat my email server to the outside so it will receive email and allow web interface.

Inside network:  192.168.1.0/24

Outside network: 2.2.2.104/29

Inside IP             192.168.1.8

Outside IP:          2.2.2.108

Ports:  25,80,443 and 587

Solution:

I cannot find a clear cut easy to ready simple example on CCO or using Google.

If you have the answer, thank you in advance for your help.

 

4 Replies 4

Poonam Garg
Level 3
Level 3

Hello John,

Assuming that 192.168.1.8 is the ip of your email server and 2.2.2.108 is the ip of your ASA outside interface and your server is listening on actual ports for the traffic, You can use Static Port Translation using Auto NAT.

1. Create an object network for Real and translated address

object network SERVER_PAT_OUTSIDE

host 2.2.2.108

object network SERVER_PRIVATE_ADD

host 192.168.1.8

nat(inside,outside) static SERVER_PAT_OUTSIDE service tcp 25 25

nat(inside,outside) static SERVER_PAT_OUTSIDE service tcp 80 80

nat(inside,outside) static SERVER_PAT_OUTSIDE service tcp 443 443

nat(inside,outside) static SERVER_PAT_OUTSIDE service tcp 587 587

 

Ports are listed in the order real (actually configured on server) and then mapped (translated)

Refer: http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/nat_objects.html#pgfId-1725745

 

HTH

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

 

Since you have a /29 subnet I presume that you can allocate one public IP address for this server. In that case the configurations is pretty simple. You can configure an Auto NAT / Network Object NAT

 

object network MAIL-SERVER
 host 192.168.1.8
 nat (inside,outside) static 2.2.2.108

 

I am not sure if you have an ACL attached to your ASAs external interface yet but the below ACL should handle that

 

access-list OUTSIDE-IN remark Traffic allowed to the Mail Server
access-list OUTSIDE-IN permit tcp any object MAIL-SERVER eq 25
access-list OUTSIDE-IN permit tcp any object MAIL-SERVER eq 80
access-list OUTSIDE-IN permit tcp any object MAIL-SERVER eq 443
access-list OUTSIDE-IN permit tcp any object MAIL-SERVER eq 587

 

access-group OUTSIDE-IN in interface outside

 

Notice with the ACL example that if you already have an ACL in use on your external interface then use that ACLs name and create the same rules. If on the other hand you have no interface ACL in that interface then you can use the above ACL. The naming of the ACL is up to you and you might have different named interfaces.

 

If you can only afford to do Static PAT (Port Forward) then the other post suggestions idea is OK but notice that in that situation for each Port Forward / Static PAT you will need its own "object". You wont be able to configure all the "nat" statements under a single "object". You dont have to configure an "object" for the public IP address as you can use the public IP address directly in the "nat" statement that is configured under the "object".

 

If you want to read up on some info about the new NAT configuration format and see some examples you can take a look at a document I wrote in 2013. You can find it here:

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

 

Hope this helps :)

 

- Jouni

Jouni,

 

Thank you for your help.  A couple things.

1.)  Thank you for the link.  This an excellent document and I will use it.

2.)   I do have an outside interface and the the email server is the only thing that I will be natting for now

       to the outside.  The outside interface is at .110 and the email server is at .108.

With my answers, does this change anything you wrote above?  Sorry I am new to this so I don't know enough to ask the right question let alone know the right answer.

 

Again, many thanks for your help.
 

Hi,

 

The Static NAT configuration I mentioned above should do the trick for the server. It will bind the local/real IP address to the mentioned public IP address for all traffic between the internal and external network.

 

The ACL configuration is also fine if you dont have any ACLs configured yet for your external interface. Naturally you would use the interface names you have configured on your ASA in the NAT configurations you insert and you can choose the "object" and "access-list" names as you wish.

 

Naturally if the connections still dont work after doing the configurations we can always have a look at the ASA configurations to find the cause of the problem.

 

- Jouni

Review Cisco Networking for a $25 gift card