09-30-2013 10:03 AM - edited 03-11-2019 07:45 PM
We have 2 email servers in a cluster on the network. I have the cluster IP address configured for Object static NAT. This works great for email coming into our organization. However, when either of these 2 email servers send mail, they send using their configured IP address which is different from the cluster IP address. Thus, the NAT'd address is different than for incoming. It hasn't been an issue to this point, but I would like to be able to send SMTP from either server and have it NAT to the same IP used for the cluster IP. This way, any reverse DNS lookups on the internet would show a consistent IP to name mapping for our mail servers. I've attached a diagram. If there is a way to force the cluster servers to use the cluster address on the Windows server side, that could be an option as well.
Thanks,
Andrew
Solved! Go to Solution.
09-30-2013 10:15 AM
Hi,
The actual NAT configuration used depends on how your Dynamic PAT rule for all the users of the network is configured at the moment. Mainly is it Auto NAT or Manual NAT.
Though naturally I can give you an example that includes both Dynamic PAT for all users and Dynamic PAT for the Mail servers and the Static NAT for incoming mail.
MAIL SERVER STATIC NAT
object network MAIL-SERVER
host 10.0.0.1
nat (inside,outside) static 10.10.10.140
The above configuration is the basic Static NAT configuration for a host using Auto NAT / Network Object NAT. It could be done with Manual NAT / Twice NAT also but I prefer Auto NAT / Network Object NAT
MAIL SERVER DYNAMIC PAT
object-group network MAIL-PAT-SOURCE
network-object host 10.0.0.1
network-object host 10.0.0.2
network-object host 10.0.0.3
object network MAIL-SERVER-PUBLIC
host 10.10.10.140
nat (inside,outside) after-auto source dynamic MAIL-PAT-SOURCE MAIL-SERVER-PUBLIC
The above is a normal Dynamic PAT configuration (no Policy elements involved).
The key thing to notice here is that we are entering this to the ASA before the next Dynamic PAT that catches all the rest of the source IP address. One thing to notice also is that its a Section 3 NAT rule (the lowest priority) so that it wont override any other NAT rules like the above Static NAT.
I you had your existing Dynamic PAT for all users already with a similiar configuration than last configuration example then you would have to add a line number to the NAT configuration like this
nat (inside,outside) after-auto 1 source dynamic MAIL-PAT-SOURCE MAIL-SERVER-PUBLIC
DEFAULT DYNAMIC PAT FOR USERS
nat (inside,outside) after-auto source dynamic any interface
The above is just an Dynamic PAT configuration that catches all source addresses from behind the "inside" interface and does Dynamic PAT for them when connecting to networks behind "outside". As this is inserted to the configuration after the above command it will be at a lower priority and wont apply for the 3 source hosts we specified above.
I wonder if I made this out to be more complicated than it needs to be
I guess the easiest way to determine the configuration you will need/want would be to see the current NAT configuration on the ASA
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
10-01-2013 08:49 AM
Hi,
Since you have an Auto NAT / Network Object NAT configured for all users Dynamic PAT then my above example as such wont do the trick for you. And specifically for the reason I imagined that the existing Dynamic PAT would override my suggested Dynamic PAT for the Mail server. It would work only if the Dynamic PAT for all users was configured with the same format (NOT Auto NAT / Network Object NAT)
So it seems to me you will have to use the Dynamic Policy PAT that you have mentioned
object service SMTP
service tcp destination eq smtp
object network excastx01
host 10.0.0.2
object network excastx02
host 10.0.0.3
object-group network EXCASTX-CLUSTER
network-object object excastx01
network-object object excastx02
nat (inside,any) source dynamic EXCASTX-CLUSTER HOST-10.10.10.140 service SMTP SMTP
This is essentially a Section 1 Manual NAT / Twice NAT configuration and its a Dynamic Policy PAT. Its at the very top of the NAT rules/configurations to be matched so it should override your normal Dynamic PAT configuration with regards to SMTP traffic.
I am not sure if you will really need to specify the destination interface as "any". Also the Static NAT commands "any,any" seems a bit wierd.
I would have personally configured the situation in the way I suggested but there probably is no real reason to change your current setup as the above configuration will also achieve what you are looking for.
- Jouni
09-30-2013 10:15 AM
Hi,
The actual NAT configuration used depends on how your Dynamic PAT rule for all the users of the network is configured at the moment. Mainly is it Auto NAT or Manual NAT.
Though naturally I can give you an example that includes both Dynamic PAT for all users and Dynamic PAT for the Mail servers and the Static NAT for incoming mail.
MAIL SERVER STATIC NAT
object network MAIL-SERVER
host 10.0.0.1
nat (inside,outside) static 10.10.10.140
The above configuration is the basic Static NAT configuration for a host using Auto NAT / Network Object NAT. It could be done with Manual NAT / Twice NAT also but I prefer Auto NAT / Network Object NAT
MAIL SERVER DYNAMIC PAT
object-group network MAIL-PAT-SOURCE
network-object host 10.0.0.1
network-object host 10.0.0.2
network-object host 10.0.0.3
object network MAIL-SERVER-PUBLIC
host 10.10.10.140
nat (inside,outside) after-auto source dynamic MAIL-PAT-SOURCE MAIL-SERVER-PUBLIC
The above is a normal Dynamic PAT configuration (no Policy elements involved).
The key thing to notice here is that we are entering this to the ASA before the next Dynamic PAT that catches all the rest of the source IP address. One thing to notice also is that its a Section 3 NAT rule (the lowest priority) so that it wont override any other NAT rules like the above Static NAT.
I you had your existing Dynamic PAT for all users already with a similiar configuration than last configuration example then you would have to add a line number to the NAT configuration like this
nat (inside,outside) after-auto 1 source dynamic MAIL-PAT-SOURCE MAIL-SERVER-PUBLIC
DEFAULT DYNAMIC PAT FOR USERS
nat (inside,outside) after-auto source dynamic any interface
The above is just an Dynamic PAT configuration that catches all source addresses from behind the "inside" interface and does Dynamic PAT for them when connecting to networks behind "outside". As this is inserted to the configuration after the above command it will be at a lower priority and wont apply for the 3 source hosts we specified above.
I wonder if I made this out to be more complicated than it needs to be
I guess the easiest way to determine the configuration you will need/want would be to see the current NAT configuration on the ASA
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
10-01-2013 08:12 AM
Thanks Jouni. I took your post and did a little more research on Cisco. To give you more information, I have all of our user Internet traffic Object NAT'd to a completely different public IP address so that is not an issue. Here is what I have confgured for our mail servers:
object service SMTP
service tcp destination eq smtp
object network excastx01
host 10.0.0.2
object network excastx02
host 10.0.0.3
object-group network EXCASTX-CLUSTER
network-object object excastx01
network-object object excastx02
nat (inside,any) source dynamic EXCASTX-CLUSTER HOST-10.10.10.140 service SMTP SMTP
object network excas-virtual-IP-10.0.0.1
nat (any,any) static HOST-10.10.10.140
Is this what I need? Just to recap... I have a static NAT configured for the "virtual cluster IP" so that we can receive email from the Internet. This static NAT will NAT anything inbound or outbound as 10.0.0.1 to 10.10.10.140. I have a policy NAT for the cluster servers native IP addresses so that sending email outbound (SMTP) will be NAT'd to 10.10.10.140. All other outbound network traffic from the cluster servers native IP addresses will be NAT'd to another Object NAT for the 10.0.0.0 subnet. I have not included details on that NAT configuration as it doesn't really apply.
Thanks,
Andrew
10-01-2013 08:49 AM
Hi,
Since you have an Auto NAT / Network Object NAT configured for all users Dynamic PAT then my above example as such wont do the trick for you. And specifically for the reason I imagined that the existing Dynamic PAT would override my suggested Dynamic PAT for the Mail server. It would work only if the Dynamic PAT for all users was configured with the same format (NOT Auto NAT / Network Object NAT)
So it seems to me you will have to use the Dynamic Policy PAT that you have mentioned
object service SMTP
service tcp destination eq smtp
object network excastx01
host 10.0.0.2
object network excastx02
host 10.0.0.3
object-group network EXCASTX-CLUSTER
network-object object excastx01
network-object object excastx02
nat (inside,any) source dynamic EXCASTX-CLUSTER HOST-10.10.10.140 service SMTP SMTP
This is essentially a Section 1 Manual NAT / Twice NAT configuration and its a Dynamic Policy PAT. Its at the very top of the NAT rules/configurations to be matched so it should override your normal Dynamic PAT configuration with regards to SMTP traffic.
I am not sure if you will really need to specify the destination interface as "any". Also the Static NAT commands "any,any" seems a bit wierd.
I would have personally configured the situation in the way I suggested but there probably is no real reason to change your current setup as the above configuration will also achieve what you are looking for.
- Jouni
10-01-2013 10:16 AM
Jouni,
Ah. Not sure why I didn't see it at first. I get it now...
1. Static NAT the cluster virtual IP to the public IP.
2. Then just PAT the cluster servers to the same public IP.
3. Don't worry about any policy NAT. The only reason now to do a policy NAT would be if I only wanted SMTP traffic to go outbound to the same public IP from the cluster servers.
It's very simple. I just didn't understand what you were trying to portray in your initial post.
Auto-after has to do with the processing of the NAT list. auto-after places the PAT rule after the Static NAT. I think this is where I was really getting hung up.
Your original posting had all the information that I needed, I just couldn't put it together in my head.
Thanks for your help on this!
Andrew
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide