10-28-2019 06:02 AM - edited 10-28-2019 06:05 AM
Hi, I am looking for help with my NAT configuration on Cisco ASA 5516-x with Firepower services connected to FMC.
Our local subnet LOCAL.NET.0.0/16 already has an Internet connection, with public IP XX.X.228.50. To obtain it I created typical Dynamic NAT:
object network lan_local_LOCAL.NET.0.0-16
nat (inside,outside) dynamic interface
Also, I created a NAT rule to reach the Exchange server from outside:
nat (outside,inside) source static any interface destination static IP_XX.X.228.54 MX2_LOCAL.NET.0.21 service SVC_30064789002 SVC_30064789002
nat (outside,inside) source static any interface destination static IP_XX.X.228.54 MX2_LOCAL.NET.0.21 service SVC_30064789003 SVC_30064789003
nat (outside,inside) source static any interface destination static IP_XX.X.228.54 MX2_LOCAL.NET.0.21 service SVC_30064789004 SVC_30064789004
It works as it should. As you admit we use different IP addresses for Internet access and for Exchange server. Outside IP for Internet Access is: XX.X.228.50
Outside IP for Exchange server: XX.X.228.54
Now we need to create NAT rule, to NAT all outside traffic of Exchange server to XX.X.228.54 instead of XX.X.228.50, and when I create one, for example
object network MX2_LOCAL.NET.0.21
nat (inside,outside) dynamic IP_XX.X.228.54
It works, but time to time, some packets NATed to this rule, some packets NATed to main local net NAT rule:
object network lan_local_LOCAL.NET.0.0-16
nat (inside,outside) dynamic interface
I checked it, by looking to the public IP address in web-browser and pressing F5 button, in 50% cases Public IP is XX.X.228.54 but in other XX.X.228.50. This is the issue, it prevents to work of our mail server correctly.
How to handle this issue? How to freeze public IP for the Exchange server?
10-28-2019 02:11 PM - edited 10-29-2019 11:34 AM
object network MX2_LOCAL.NET.0.21
nat (inside,outside) dynamic IP_XX.X.228.54
!
this need to be change as
!
object network MX2_LOCAL.NET.0.21
nat (inside,outside) static IP_XX.X.228.54
!
or you can move this rules in to the NAT section 1. in that case your nat rules will be like this.
!
object network IP_XX.X.228.54
host IP_XX.X.228.54
nat (inside,outside) source static MX2_LOCAL.NET.0.21 IP_XX.X.228.54
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide