cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2304
Views
0
Helpful
5
Replies

NAT SMTP traffic from Outside to Inside

Tim Roelands
Level 1
Level 1

Hi,

Most examples of NAT translation using an ASA 8.4 are based on servers within a DMZ. In my case it's not because the mailserver also functions as an data and Active Directory server for my local domain.            

If tried to config the ASA for a while now and throw it in the corner for a couple of months out of frustration. Now I got some time left during christmas break I decided to start again.

My purpose is to NAT SMTP / POP traffic from the internet, trough the ASA to my (inside) server. This is what I got so far. With this config I'm unable to telnet the inside server (192.168.1.10) from a remote location.

ASA Version 8.4(3)
!
hostname ciscoasa
enable password cE8UUNd encrypted
passwd 2KFQ.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.253 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 95.*.*.218 255.255.255.248
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network server1_smtp
host 192.168.1.10
object network server1_pop3
host 192.168.1.10
access-list outside_access_in extended permit tcp any host 192.168.1.10 eq smtp
access-list outside_access_in extended permit tcp any host 192.168.1.10 eq pop3
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
object network server1_smtp
nat (inside,outside) static interface service tcp smtp smtp
object network server1_pop3
nat (inside,outside) static interface service tcp pop3 pop3
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 95.*.*.217 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:1c83596db7d0a6ea38611e0cfe631038
: end

I can ping 192.168.1.10 from the ASA CLI. I can Ping DNS 4.2.2.2 from the CLI (internet access). I can Telnet the server from the inside LAN, using: telnet 192.168.1.10 25.

But I can't Telnet from an outside location using: Telnet 95.*.*.218 25

Because my server is on the Inside interface (diffenrent subnet) do I need an additional route?

Could anyone help?

1 Accepted Solution

Accepted Solutions

You should change default gateway to .253 on your server and that should do it.

Capture the traffic with Wireshark: verify that incoming packets  are delivered to your server but are sent to .254 instead of .253.

View solution in original post

5 Replies 5

Tim Roelands
Level 1
Level 1

Here is a package trace:

ciscoasa# packet-tracer input outside tcp 1.1.1.1 23456 95.*.*.218 25 detai$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcb407f80, priority=1, domain=permit, deny=false
        hits=1, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=outside, output_ifc=any

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network server1_smtp
nat (inside,outside) static interface service tcp smtp smtp
Additional Information:
NAT divert to egress interface inside
Untranslate 95.*.*.218/25 to 192.168.1.10/25

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any host 192.168.1.10 eq smtp
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcb02fa60, priority=13, domain=permit, deny=false
        hits=0, user_data=0xc9571340, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=192.168.1.10, mask=255.255.255.255, port=25, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcb40be78, priority=0, domain=inspect-ip-options, deny=true
        hits=0, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 5
Type: INSPECT
Subtype: inspect-smtp
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
  inspect esmtp _default_esmtp_map
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcb978308, priority=70, domain=inspect-smtp, deny=false
        hits=1, user_data=0xcb977c08, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=25, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xcb3e5b70, priority=0, domain=host-limit, deny=false
        hits=1, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network server1_smtp
nat (inside,outside) static interface service tcp smtp smtp
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcb8b9e78, priority=6, domain=nat-reverse, deny=false
        hits=1, user_data=0xcac7e980, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=192.168.1.10, mask=255.255.255.255, port=25, dscp=0x0
        input_ifc=outside, output_ifc=inside

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in  id=0xcb3e2218, priority=0, domain=inspect-ip-options, deny=true
        hits=1, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_punt
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_punt
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Do you have windows integrated firewall disabled or is there an exception for smtp and pop3 traffic? Have you double checked network settings on windows server?
What does netstat -an show-is server listening on tcp25 and tcp110?
when you try telnet to from remote location- dis you specify port 25 (instead of the default 23)?
Can you ping asa from remote location?
Can you ping windows server from asa?

I would recommend to redefine obj_any to 192.168.1.0 255.255.255.0 insted of 0.0.0.0 0.0.0.0 and disable esmtp inspection in global policy.

Netstat -an shows:  TCP    0.0.0.0:25             0.0.0.0:0              LISTENING

The server functions at this time over another gateway - 192.168.1.254 - (ISP) in the same LAN. So server settings should be fine.

I can ping from the ASA to the server:

ciscoasa# ping 192.168.1.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

I can ping the ASA from a remote location over the internet:

PS C:\Windows\system32> ping 95.*.*.218

Pingen naar 95.*.*.218 met 32 bytes aan gegevens:
Antwoord van 95.*.*.218: bytes=32 tijd=14 ms TTL=245
Antwoord van 95.*.*.218: bytes=32 tijd=13 ms TTL=245
Antwoord van 95.*.*.218: bytes=32 tijd=14 ms TTL=245
Antwoord van 95.*.*.218: bytes=32 tijd=13 ms TTL=245

Ping-statistieken voor 95.*.*.218:
    Pakketten: verzonden = 4, ontvangen = 4, verloren = 0
    (0% verlies).

De gemiddelde tijd voor het uitvoeren van één bewerking in milliseconden:
    Minimum = 13ms, Maximum = 14ms, Gemiddelde = 13ms

redefine obj_any to 192.168.1.0 255.255.255.0 (done)

disable esmtp inspection in global policy (done)

But still nog go..

Thanks Jernej!

You should change default gateway to .253 on your server and that should do it.

Capture the traffic with Wireshark: verify that incoming packets  are delivered to your server but are sent to .254 instead of .253.

Yes Sir! You are the man Jernej! You can't imagine the joy! Thanks man...many many thanks!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: