Solved: Manual NAT to override Auto NAT

francisco.j.romao · ‎10-02-2013

Hi, i've an ASA with this relevant config:

ASA Version 9.1(1)

interface Ethernet0/0

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.248

!

object network obj-192.168.2.20

host 192.168.2.20

object network obj-1.1.1.2

host 1.1.1.2

access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq smtp

access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq pop3

access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq imap4

access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq https

object network obj-192.168.2.20

nat (inside,outside) static obj-1.1.1.2

Now i have to allow access to a web server from a specific Internet Address 2.2.2.2.

Both web server and all other inbound access are made via a different IP Address 1.1.1.2

I'm having some problems configuring this second item, and I need help.

Which is the best way to overcame this problem.

TIA

FR

Julio Carvajal · ‎10-02-2013

Hello Francisco,

Yes, you can,

Use Any Any

Regards,

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Saqib Raza · ‎10-02-2013

So you want to allow host 2.2.2.2 to access your webserver 1.1.1.2 ? if so, you already have that access in place according to this ace

access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq https

if you need to allow 2.2.2.2 to access at port 80 then just add an other ace

e.g

access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq http

Julio Carvajal · ‎10-02-2013

Hello Fran,

Not sure what you mean:

I mean you already have the policies in place for this:

object network obj-192.168.2.20

nat (inside,outside) static obj-1.1.1.2

access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq smtp

access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq pop3

access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq imap4

access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq https

Now i have to allow access to a web server from a specific Internet Address 2.2.2.2.

Both web server and all other inbound access are made via a different IP Address 1.1.1.2

So now a user on the outside 2.2.2.2 will be accessing your webserver,

Is your server 192.168.2.20 and also what do you mean by

Both web server and all other inbound access are made via a different IP Address 1.1.1.2

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

francisco.j.romao · ‎10-02-2013

Hello Saqib and Julio

many thnaks for your replies.

unfortunately could not be as clear as I would have been:

need to allow access to the web server with private ip 192.168.2.30 via the public IP: 1.1.1.2

internal web server is different from mail server (different machines as you can see int the picture)

I think twice nat solves my problem but I can not form the rule.

On the other hand need to keep the 1:1 NAT 192.168.2.20/1.1.1.2 or my emails become blacklisted.

once more

TIA

FR

Julio Carvajal · ‎10-02-2013

Hello Francisco,

That's the thing. You are already using a map to map where you basically map all available ports on the 1.1.1.2 to the SMTP server.

You will need to have a different IP address in order to map port 80 to the Internal Server or instead of using a one to one tranlation for the SMTP server map the right ports and leave 80 available for the SMTP server

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

francisco.j.romao · ‎10-02-2013

Hello Julio,

Here is where I need some help:

when I tried to map the "right ports and leave 80 available"... I got stuck on blacklists because the emails have gone out with the outside interface 1.1.1.1 not with 1.1.1.2

I couldnt solve this...

(I've already bookmarked your website)

Once more

Thanks for your help

FR

Julio Carvajal · ‎10-02-2013

(I've already bookmarked your website)

That's awesome hehe

Yeah, I have seen this in the past.

You could do that NAT (Leaving port 80 off) and also a policy nat basically saying that when that servers goes to any outside SMTP server gets Translated to 1.1.1.2.

Did you try that Policy NAT before?

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

francisco.j.romao · ‎10-02-2013

Hello again Julio

Thank you very much for your support.

No I havent tried Policy NAT.

Could you please give me a clue??

Kind Regards

FR

Julio Carvajal · ‎10-02-2013

This would be based on the requirement

Let's say your SMTP server will need to communicate to the host 8.8.8.8

So you can do the port-forwarding for the ports as you did before (when it was being blacklisted) so you can reserver port 80 TCP for the HTTP server and then

object network 8.8.8.8

host 8.8.8.8

exit

objetc service Dsmtp

service tcp destination eq 25

exit

Nat (inside,outside) source static obj-192.168.2.20 1.1.1.2 destination static 8.8.8.8 8.8.8.8 service Dsmtp Dsmtp

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

francisco.j.romao · ‎10-02-2013

Julio

once more "muchas gracias"

since my smtp server has to be available "to the world" I can't do like you suggest.

May I use any any for destination? it would be based on service only.

something like:

Nat (inside,outside) source static obj-192.168.2.20 1.1.1.2 destination static any any service Dsmtp Dsmtp

Or

since I know that my web server is only accessed by 2.2.2.2

Nat (inside,outside) source static obj-192.168.2.30 1.1.1.2 destination static 2.2.2.2 2.2.2.2

this would be at section 1 of NAT (before auto NAT or NAT 1:1 refered before)

I don't know if this statements conflits with each other

TIA

FR

Julio Carvajal · ‎10-02-2013

Hello Francisco,

Yes, you can,

Use Any Any

Regards,

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

francisco.j.romao · ‎10-21-2013

thank you for your precious help.

i've forgotten mark your answer as correct but thanks to your support I solved my case.

Big hug

FRancisco