07-02-2014 06:50 AM - edited 03-11-2019 09:24 PM
Hello,
Outside
ip: 10.7.128.172
-DMZ |
Ironport --------- ASA
10.2.129.95 |
Inside
Exchange Server
10.2.128.43
I wanted to migrate from ASA 5520 (version 8.4.2) to ASA 5515-X (version 9.1.3). The ASA is configured with the following interfaces: Inside, Outside and DMZ. In the inside zone I have the exchange server and in the DMZ Zone I have cisco Ironport which relays the smtp packets to the internal exchange server.
With 5520 I used the following commands and Nat worked perfectly:
object CultexMail-1
host 10.2.128.43
nat (internal,outside) static 10.7.128.172 service tcp pop3 pop3
object CultexMail-2
host 10.2.128.43
nat (linternal,outside) static 10.7.128.172 service tcp www www
object ironport
host 10.2.129.95
nat (dmz,outside) static 10.7.128.172 service tcp smtp smtp
e.t.c
After replacing the firewall with the new one I could receive emails but I could not access the web interface of exchange from outside and I could not send outgoing emails.
After adding the following commands I was able to access the web interface of my exchange but no luck with sending outgoing emails:
object ironport-test
host 10.2.129.95
nat (dmz,outside) dynamic 10.7.128.172
object cultexmail-test
host 10.2.128.43
nat (inside, outside) dynamic 10.7.128.172
Do you have any idea for this implementation how Nat rules should be (for Cisco ASA version 9.1)? Thank you.
Solved! Go to Solution.
07-14-2014 05:13 AM
Hi,
I guess you have a overlapping NAT rule. Can you check if any conflicting rule persists in you configs. try getting sh nat output and cross verify.
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2b12a9c0, priority=0, domain=inspect-ip-options, deny=true
hits=35237, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside1, output_ifc=any
Regards
Karthik
07-02-2014 12:34 PM
I would first suggest that you change your NAT rules from dynamic to static, as you only have one IP. Also you will need to specify ports that you are translating otherwise you will be NATing all ports to the one server and no other PC on the network will be able to reach the internet.
object cultexmail-test
host 10.2.128.43
nat (inside, outside) static 10.7.128.172 service tcp http http
change this first, and then test. Report back the results please.
--
Please remember to select a correct answer and rate helpful posts
07-03-2014 12:43 AM
Hello MAriusGurrerud,
Initially, as you suggested, I used the static NAT rules with my new firewall 5515. The same rules I have now at my cisco 5520 and the mail servers work right:
nat (outside1,lan_Servers) source static syzefxis_ranges syzefxis_ranges destination static CultMAIL CultMAIL // exempt wan mail traffic from use translation - because branches use internal dns server
// port forwarding incoming smtp traffic to ironport and the other protocols (http,https,imap) to internal exchange server.
nat (lan_Servers,outside1) static 10.7.128.172 service tcp pop3 pop3
nat (lan_Servers,outside1) static 10.7.128.172 service tcp www www
nat (dmz_webservers,outside1) static 10.7.128.172 service tcp smtp smtp
nat (lan_Servers,outside1) static 10.7.128.172 service tcp imap4 imap4
nat (lan_Servers,outside1) static 10.7.128.172 service tcp https https
nat (lan_Servers,outside1) static 10.7.128.172 service tcp 135 135
The result with asa 5515 version 9.1.3 was tha I could get incoming mail but nothing else. I found out an article at web "http://tsbraindump.blogspot.gr/2013/04/port-address-translation-and-nat-in.html" that proposed (as weird it seems to be - with ASA 9.1) to create dynamic NAT rule for outgoing mail traffic. Then I added to the above configuration the rule:
object cultexmail-test
host 10.2.128.43
nat (inside, outside) dynamic 10.7.128.172
After the addition of the above command I could access the exchange server webpage but still cannot send mails from my internal exchange to outside (for example from my mail server to yahoo mail).
07-14-2014 05:13 AM
Hi,
I guess you have a overlapping NAT rule. Can you check if any conflicting rule persists in you configs. try getting sh nat output and cross verify.
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2b12a9c0, priority=0, domain=inspect-ip-options, deny=true
hits=35237, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside1, output_ifc=any
Regards
Karthik
07-17-2014 12:14 AM
Hello,
I do not see any difference between sh nat detail output and my configuration commands:
Manual NAT Policies (Section 1)
//exempt wan traffic from translasion, because branches use headquarter dns server to resolve addresses.
1 (outside1) to (lan_Servers) source static syzefxis_ranges syzefxis_ranges destination static CultMAIL CultMAIL
translate_hits = 7, untranslate_hits = 9
Source - Origin: 10.179.114.0/24, 10.179.115.0/24, 10.179.116.0/24, 10.179.117.0/24
10.179.118.0/24, 10.179.119.0/24, 10.179.120.0/24, 10.179.121.0/24
10.179.122.0/24, 10.179.123.0/24, 10.179.125.0/24, 10.179.115.174/32
10.179.141.0/24, 10.179.142.0/24, 10.34.96.1/32, 10.34.96.2/31
10.34.96.4/30, 10.34.96.8/29, 10.34.96.16/28, 10.34.96.32/27
10.34.96.64/26, 10.34.96.128/25, 10.34.97.0/25, 10.34.97.128/26
10.34.97.192/27, 10.34.97.224/28, 10.34.97.240/29, 10.34.97.248/30
10.34.97.252/31, 10.34.97.254/32, Translated: 10.179.114.0/24, 10.179.115.0/24, 10.179.116.0/24, 10.179.117.0/24
10.179.118.0/24, 10.179.119.0/24, 10.179.120.0/24, 10.179.121.0/24
10.179.122.0/24, 10.179.123.0/24, 10.179.125.0/24, 10.179.115.174/32
10.179.141.0/24, 10.179.142.0/24, 10.34.96.1/32, 10.34.96.2/31
10.34.96.4/30, 10.34.96.8/29, 10.34.96.16/28, 10.34.96.32/27
10.34.96.64/26, 10.34.96.128/25, 10.34.97.0/25, 10.34.97.128/26
10.34.97.192/27, 10.34.97.224/28, 10.34.97.240/29, 10.34.97.248/30
10.34.97.252/31, 10.34.97.254/32
Destination - Origin: 10.2.128.43/32, 10.2.128.72/32, Translated: 10.2.128.43/32, 10.2.128.72/32
//nat rules for site-to-site vpn-do not nat
2 (inside_data) to (outside1) source static NETWORK_OBJ_10.2.128.0_24 NETWORK_OBJ_10.2.128.0_24 destination static NETWORK_OBJ_192.168.15.0_24 NETWORK_OBJ_192.168.15.0_24 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.2.128.0/24, Translated: 10.2.128.0/24
Destination - Origin: 192.168.15.0/24, Translated: 192.168.15.0/24
//disabled rule
3 (lan_Servers) to (outside1) source dynamic cultexmail extmail_ip inactive
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.2.128.43/32, Translated: 10.7.128.172/32
//mail nat rules
Auto NAT Policies (Section 2)
1 (lan_Servers) to (outside1) source static Cultexmail-1 10.7.128.172 service tcp pop3 pop3
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.2.128.43/32, Translated: 10.7.128.172/32
Service - Protocol: tcp Real: pop3 Mapped: pop3
2 (lan_Servers) to (outside1) source static Cultexmail-2 10.7.128.172 service tcp www www
translate_hits = 0, untranslate_hits = 7
Source - Origin: 10.2.128.43/32, Translated: 10.7.128.172/32
Service - Protocol: tcp Real: www Mapped: www
3 (lan_Servers) to (outside1) source static Cultexmail-3 10.7.128.172 service tcp imap4 imap4
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.2.128.43/32, Translated: 10.7.128.172/32
Service - Protocol: tcp Real: imap4 Mapped: imap4
4 (lan_Servers) to (outside1) source static Cultexmail-4 10.7.128.172 service tcp https https
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.2.128.43/32, Translated: 10.7.128.172/32
Service - Protocol: tcp Real: https Mapped: https
5 (lan_Servers) to (outside1) source static Cultexmail-5 10.7.128.172 service tcp 135 135
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.2.128.43/32, Translated: 10.7.128.172/32
Service - Protocol: tcp Real: 135 Mapped: 135
6 (dmz_webservers) to (outside1) source static CultEmailEDGE 10.7.128.172 service tcp smtp smtp
translate_hits = 0, untranslate_hits = 1
Source - Origin: 10.2.129.95/32, Translated: 10.7.128.172/32
Service - Protocol: tcp Real: smtp Mapped: smtp
THE CONFIGURATION OF ASA
nat (outside1,lan_Servers) source static syzefxis_ranges syzefxis_ranges destination static CultMAIL CultMAIL
nat (inside_data,outside1) source static NETWORK_OBJ_10.2.128.0_24 NETWORK_OBJ_10.2.128.0_24 destination static NETWORK_OBJ_192.168.15.0_24 NETWORK_OBJ_192.168.15.0_24 no-proxy-arp route-lookup
nat (lan_Servers,outside1) source dynamic cultexmail extmail_ip inactive
nat (lan_Servers,outside1) static 10.7.128.172 service tcp pop3 pop3
nat (lan_Servers,outside1) static 10.7.128.172 service tcp www www
nat (dmz_webservers,outside1) static 10.7.128.172 service tcp smtp smtp
nat (lan_Servers,outside1) static 10.7.128.172 service tcp imap4 imap4
nat (lan_Servers,outside1) static 10.7.128.172 service tcp https https
nat (lan_Servers,outside1) static 10.7.128.172 service tcp 135
object-group network CultMAIL
network-object object Cultexmail-1
network-object object Cultexmail1
07-17-2014 01:28 AM
OK I thik I have at least one error at my configuration...I post the configuration of my current firewall:
(outside1) to (lan_Servers) source static syzefxis_ranges syzefxis_ranges destination static CultMAIL CultMAIL
translate_hits = 27799, untranslate_hits = 243
Source - Origin: 10.179.114.0/24, 10.179.115.0/24, 10.179.116.0/24, 10.179.117.0/24
10.179.118.0/24, 10.179.119.0/24, 10.179.120.0/24, 10.179.121.0/24
10.179.122.0/24, 10.179.123.0/24, 10.179.125.0/24, 10.179.115.174/32
10.179.141.0/24, 10.179.142.0/24, 10.34.96.1/32, 10.34.96.2/31
10.34.96.4/30, 10.34.96.8/29, 10.34.96.16/28, 10.34.96.32/27
10.34.96.64/26, 10.34.96.128/25, 10.34.97.0/25, 10.34.97.128/26
10.34.97.192/27, 10.34.97.224/28, 10.34.97.240/29, 10.34.97.248/30
10.34.97.252/31, 10.34.97.254/32, Translated: 10.179.114.0/24, 10.179.115.0/24, 10.179.116.0/24, 10.179.117.0/24
10.179.118.0/24, 10.179.119.0/24, 10.179.120.0/24, 10.179.121.0/24
10.179.122.0/24, 10.179.123.0/24, 10.179.125.0/24, 10.179.115.174/32
10.179.141.0/24, 10.179.142.0/24, 10.34.96.1/32, 10.34.96.2/31
10.34.96.4/30, 10.34.96.8/29, 10.34.96.16/28, 10.34.96.32/27
10.34.96.64/26, 10.34.96.128/25, 10.34.97.0/25, 10.34.97.128/26
10.34.97.192/27, 10.34.97.224/28, 10.34.97.240/29, 10.34.97.248/30
10.34.97.252/31, 10.34.97.254/32
Destination - Origin: 10.2.128.43/32, 10.2.128.72/32, Translated: 10.2.128.43/32, 10.2.128.72/32
Auto NAT Policies (Section 2)
1 (lan_Servers) to (outside1) source static Cultexmail-1 10.7.128.172 service tcp pop3 pop3
translate_hits = 9, untranslate_hits = 7257
Source - Origin: 10.2.128.43/32, Translated: 10.7.128.172/32
Service - Protocol: tcp Real: pop3 Mapped: pop3
2 (lan_Servers) to (outside1) source static Cultexmail-2 10.7.128.172 service tcp www www
translate_hits = 1, untranslate_hits = 5237
Source - Origin: 10.2.128.43/32, Translated: 10.7.128.172/32
Service - Protocol: tcp Real: www Mapped: www
3 (lan_Servers) to (outside1) source static Cultexmail-3 10.7.128.172 service tcp imap4 imap4
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.2.128.43/32, Translated: 10.7.128.172/32
Service - Protocol: tcp Real: imap4 Mapped: imap4
4 (lan_Servers) to (outside1) source static Cultexmail-4 10.7.128.172 service tcp https https
translate_hits = 475, untranslate_hits = 167881
Source - Origin: 10.2.128.43/32, Translated: 10.7.128.172/32
Service - Protocol: tcp Real: https Mapped: https
5 (lan_Servers) to (outside1) source static Cultexmail-5 10.7.128.172 service tcp 135 135
translate_hits = 0, untranslate_hits = 3279
Source - Origin: 10.2.128.43/32, Translated: 10.7.128.172/32
Service - Protocol: tcp Real: 135 Mapped: 135
6 (dmz_webservers) to (outside1) source static CultEmailEDGE 10.7.128.172 service tcp smtp smtp
translate_hits = 0, untranslate_hits = 176491
Source - Origin: 10.2.129.27/32, Translated: 10.7.128.172/32
Service - Protocol: tcp Real: smtp Mapped: smtp
CultEmailEDGE=not ironport
a)At NAT section 1 there is no second nat rule for my site-to-site vpn and this is right, because I do not use nat or pat to translate the addresses of my internal users to my ASA's outside interface address. So I do not have to exempt any traffic from 10.2.128.0 to 192.168.15.0. In addition I have a mistake at this rule because the 10.2.128.0 network is at interface "lan_servers" and not "internal_users".
b)If you check again the above NAT rules of my current firewall the rule about smtp port forwarding, forwards smtp traffic to an old anti-spam server. We replaced this server with cisco ironport. Our provider nated our real address of ironport (10.2.129.95) to a public address (x.x.x.x).Adterwords we requested from our provider to change the mx records of our mail server mail.X.gr, and add the public address of ironport with the same priority. If we reruest the mx records from a public server we see:
10(priority) mail.X.gr(hostname) X.X.X.X (mail.public address)
(this X.X.X.X publiv address is translated to 10.7.128.172 address.We want to do port forward with this address,,,X.X.X.X -> 10.7.128.172)
10(priority) ironport.x.gr(hostname) Y.Y.Y.Y (ironport public address)
(Y.Y.Y.Y is the public address of ironport, Y.Y.Y.Y->10.2.129.95)
The real question now is do I need the last rule to port forward any smtp packet from 10.7.128.172 to my ironport ?
07-02-2014 09:32 PM
Also this document may shed some light https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli
Regards,
Yadhu
07-02-2014 10:12 PM
Hi,
Do you see any logs for NAT removal or some error messages related to NAT?
Because there is a bug which might be related to this issue.
CSCun95075 - ASA drops packet due to nat-no-xlate-to-pat-pool after removing NAT rule
Symptom:
Once a twice NAT rule with a service translation is added, other traffic on the interface may also be dropped with a reason of nat-no-xlate-to-pat-pool. This is expected behavior and more details can be found here:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/access_fwaaa.html#wp1331733
However, if the NAT rule references an object-group and that object-group is changed while the NAT rule is still configured, traffic may still be dropped even after removing the NAT rule.
Conditions:
All of the following conditions must be matched to see this issue:
1) The ASA is configured with a twice NAT rule that uses a service translation
2) The object-group referenced in the NAT rule is edited (i.e. a new network-object is added to it) while the NAT rule is still configured
3) The NAT rule is removed from the configuration
Workaround:
Reloading the ASA after the offending NAT rule is removed will resolve the issue.
Bug Fixed in release : 9.1.5(1) or 9.1.2(100)
Regards
Karthik
07-03-2014 01:01 AM
Dear Karthik,
First of all thank you for your help. In my new firewall initially I had those rules:
nat (outside1,lan_Servers) source static syzefxis_ranges syzefxis_ranges destination static CultMAIL CultMAIL
nat (lan_Servers,outside1) static 10.7.128.172 service tcp pop3 pop3
nat (lan_Servers,outside1) static 10.7.128.172 service tcp www www
nat (dmz_webservers,outside1) static 10.7.128.172 service tcp smtp smtp
nat (lan_Servers,outside1) static 10.7.128.172 service tcp imap4 imap4
nat (lan_Servers,outside1) static 10.7.128.172 service tcp https https
nat (lan_Servers,outside1) static 10.7.128.172 service tcp 135 135
I copied them from my old 5520 ASA firewall (version 8.4.2) whith my network objects. From my configuratiion do you think that I may have problem with this bug? I used asa real time logging at the migration time but did not see any weird logs about nat and I would like to add that with the command "sh nat detail" I could see "counts" of "untranslated_hits" to be increasing for the right rules. This is correct as I have NAt rules of type "NAT (inside,outside)" and I had incoming traffic.
07-03-2014 01:44 AM
Seems to be the bug only as per my knowledge while looking at the issue.
Can you remove all the rules and object-group once and restart the firewall.... then you configure once again with the object-group and NAT rules..... and then try to access all the required access.
Either you can go with TAC case or you can try with next OS version which has the fixed release of this bug.
Regards
Karthik
07-03-2014 02:06 AM
Although this could be a bug...though I doubt it since there is an email security appliance involved here...I would rule out the ironport first before starting to remove configs and reload..etc.
--
Please remember to select a correct answer and rate helpful posts
07-13-2014 11:45 PM
Hi!
I tried at last the firewall with the new firmware 9.2 version and I was dissapointed. The Nat did not work at all either for incoming or outgoing flows.. As I was advised I left only the static nat rules for the port forwarding of incoming flows...Though I could not send an outgoing email, I could not get an incoming email and I could not access the exchange owa. In addition I observed that cisco changed the nat rules a bit at version 9.2.
But this time I have logs and I have used the packet tracer commands tha you told me to use.So using:
asayppo# packet-tracer input lan_Servers tcp 10.2.128.43 12345 4.2.2.2 25 detail
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2b275070, priority=1, domain=permit, deny=false
hits=609599, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=lan_Servers, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 10.7.128.169, outside1
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group lan_servers_list in interface lan_Servers
access-list lan_servers_list extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2b993090, priority=13, domain=permit, deny=false
hits=11859, user_data=0x7fff2430ab80, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=lan_Servers, output_ifc=any
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a652170, priority=0, domain=nat-per-session, deny=false
hits=73294, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2b27cd60, priority=0, domain=inspect-ip-options, deny=true
hits=28792, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=lan_Servers, output_ifc=any
Phase: 6
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2c67dbf0, priority=13, domain=dynamic-filter, deny=false
hits=9911, user_data=0x7fff2c67d120, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=lan_Servers, output_ifc=any
Phase: 7
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2c682620, priority=12, domain=UNKNOWN:59, deny=false
hits=10632, user_data=0x7fff2c6825c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=lan_Servers, output_ifc=any
Phase: 8
Type: IDS
Subtype:
Result: ALLOW
Config:
class-map ips
match access-list IPS
policy-map my-ips-policy
class ips
ips inline fail-open
service-policy my-ips-policy interface outside1
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff3034f1c0, priority=51, domain=ids, deny=false
hits=19652, user_data=0x7fff3034d9c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=outside1
Phase: 9
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff2c67b480, priority=13, domain=dynamic-filter, deny=false
hits=19652, user_data=0x7fff2c679050, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=outside1
Phase: 10
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff2c6815d0, priority=12, domain=UNKNOWN:59, deny=false
hits=19652, user_data=0x7fff2c6811d0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=outside1
Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fff2a652170, priority=0, domain=nat-per-session, deny=false
hits=73296, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fff2b12a9c0, priority=0, domain=inspect-ip-options, deny=true
hits=30666, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside1, output_ifc=any
Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 49672, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: lan_Servers
input-status: up
input-line-status: up
output-interface: outside1
output-status: up
output-line-status: up
Action: allow
-----------------------------------------
Also:
packet-tracer input outside1 tcp 4.2.2.2 12345 10.7.128.172 25 detail
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2b122cd0, priority=1, domain=permit, deny=false
hits=630195, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside1, output_ifc=any
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network CultEmailEDGE
nat (dmz_webservers,outside1) static 10.7.128.172 service tcp smtp smtp
Additional Information:
NAT divert to egress interface dmz_webservers
Untranslate 10.7.128.172/25 to 10.2.129.95/25
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE_INBOUND in interface outside1
access-list OUTSIDE_INBOUND extended permit tcp any object ironport eq smtp
access-list OUTSIDE_INBOUND remark *** ALLOW PACKETS FROM OUTSIDE INWARDS ***
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2b8a6070, priority=13, domain=permit, deny=false
hits=1135, user_data=0x7fff24326080, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=10.2.129.95, mask=255.255.255.255, port=25, tag=0, dscp=0x0
input_ifc=outside1, output_ifc=any
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a652170, priority=0, domain=nat-per-session, deny=false
hits=83579, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2b12a9c0, priority=0, domain=inspect-ip-options, deny=true
hits=35237, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside1, output_ifc=any
Phase: 6
Type: IDS
Subtype:
Result: ALLOW
Config:
class-map ips
match access-list IPS
policy-map my-ips-policy
class ips
ips inline fail-open
service-policy my-ips-policy interface outside1
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff3034df10, priority=51, domain=ids, deny=false
hits=12295, user_data=0x7fff3034d9c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside1, output_ifc=any
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2c608460, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=12235, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside1, output_ifc=any
Phase: 8
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2c679b20, priority=13, domain=dynamic-filter, deny=false
hits=12295, user_data=0x7fff2c679050, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside1, output_ifc=any
Phase: 9
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2c681230, priority=12, domain=UNKNOWN:59, deny=false
hits=12295, user_data=0x7fff2c6811d0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside1, output_ifc=any
Phase: 10
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map CONNS
match access-list CONNS
policy-map CONNS
class CONNS
set connection conn-max 0 embryonic-conn-max 500 random-sequence-number enable
set connection timeout idle 1193:02:47 embryonic 0:20:00 half-closed 0:10:00
embryonic 0:20:00
DCD: disabled, retry-interval 0:00:15, max-retries 5
DCD: client-probe 0, server-probe 0, conn-expiration 0
service-policy CONNS interface dmz_webservers
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff2cfa4340, priority=8, domain=conn-set, deny=false
hits=10059, user_data=0x7fff2cf9c8f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=10.2.129.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=dmz_webservers
Phase: 11
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network CultEmailEDGE
nat (dmz_webservers,outside1) static 10.7.128.172 service tcp smtp smtp
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff2b87c580, priority=6, domain=nat-reverse, deny=false
hits=748, user_data=0x7fff2b87aa60, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=10.2.129.95, mask=255.255.255.255, port=25, tag=0, dscp=0x0
input_ifc=outside1, output_ifc=dmz_webservers
Phase: 12
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fff2a652170, priority=0, domain=nat-per-session, deny=false
hits=83581, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fff2b5ae440, priority=0, domain=inspect-ip-options, deny=true
hits=19775, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=dmz_webservers, output_ifc=any
Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 56870, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: outside1
input-status: up
input-line-status: up
output-interface: dmz_webservers
output-status: up
output-line-status: up
Action: allow
-------------------------------------------------
In addition I saw two stange logs:
1.The first one had to do with assymetric nat
5 Jul 13 2014 11:34:34 305013 65.55.111.141 51143 10.2.129.95 25 Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside1:65.55.111.141/51143 dst dmz_webservers:10.2.129.95/25 denied due to NAT reverse path failure
----------
2.Secondly I was getting a lot of smtp incoming traffic to an internal address that I do not use at all and of course the flow was denied.
4 Jul 13 2014 11:34:29 106023 95.211.122.21 43456 10.2.145.22 25 Deny tcp src outside1:95.211.122.21/43456 dst inside_data:10.2.145.22/25 by access-group "OUTSIDE_INBOUND" [0x0, 0x0]
-------------------------
07-03-2014 02:39 AM
From what to metioned KarthiKI think the best option is to upgrade my firmware. In Cisco site I found only one version 9.1.5. Is 9.1.5(1) a special OS version and where can I founf it?
07-03-2014 02:54 AM
Hi,
You can use 9.2.2 version where it got fixed.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/release/notes/asarn92.html#pgfId-762517
Lets see if the issue gets resolved for you. Hoping for the best.
Regards
Karthik
07-04-2014 03:23 AM
Hello nkarthikeyan,
I upgraded the ASA version to 9.2.2 and I think it got fixed. I am not sure yet. I removed any extra NAT commands that I added the last week and I left the original NAT commands of my 5520 firewall. I created a lab environment to check the http protocol (http forwarding) and it worked. This sunday I will try again the migration and I hope the smtp protocol to work fine for both incoming and outgoing mail traffic.
I will let you know about the results of 5515 integration and I will rate all answers. Thank you in advance.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide