Solved: Re: Port Hiding (NAT) with ASA

Ayhan Guec · ‎09-21-2017

Hello,

i am struggling with solving following scenario:

I have a mailserver in DMZ network with private adress e.g. 192.168.0.1 and public adress e.g 1.1.1.1.

I want to accomplish that the mail server sends mails out of port 25, but receives mails on port 50025.

Communication flow shoud be:

Sending email: 192.168.0.1:25 (inside) --> translate to --> 1.1.1.1:25 (outside)

Receiving email: 1.1.1.1:25 --> translate to --> 192.168.0.1:50025

My problem is that i am not allowed to open Port tcp/50025 on outside interface ACL.

My ACL on outside interface looks like this:

access-list outside_access_in line 1 extended permit tcp any object 192.168.0.1 eq smtp

I've written 2 unidirectional NAT statements :

For incoming traffic:

nat (outside,inside) 2 source static any any destination static 1.1.1.1 192.168.0.1 service tcp/25 tcp/50025 unidirectional

For outgoing traffic:

nat (inside,outside) 3 source static 192.168.0.1 1.1.1 service tcp/25 tcp/25 unidirectional

By writing these rules i get a warning that rule overlaps with existing static NAT in Section 1, rule 3. I think this is due to asymmetric NAT.

But in Packettracer it seems to work if i open port 50025 in the outside ACL, so i assume the ASA does first nat operations before dispatching the packet.

Is it possible to achieve my goal to send email out of port 25 and recieve them globally on port 25 which is internally translated to tcp/50025? So only port tcp/25 is opened in the outside interface acl?

Thank you for your support and ideas

Ayhan Guec · ‎09-22-2017

Problem solved:

I didnt noticed that there was also an object-nat on the private adress which automatically opens port on global adress on outside interface.

After deleting object NAT from 192.168.0.1 to 1.1.1.1 i can add port 50025 to my outside ACL and the global adress 1.1.1.1 is only reachable through port 25 and not 50025.

View solution in original post

Spooster IT Services · ‎09-21-2017

Hi Ayhan Guec,

You must need to open only port 50025 for your internal IP (192.168.0.1) in your outside ACL. Outgoing mails will work according to security level but for incoming mails you need to allow traffic for real port (50025) and real IP (192.168.0.1). Otherwise your configuration looks good.

Spooster IT Services Team

Ayhan Guec · ‎09-21-2017

Hi Spooster IT Services,

thank you very much for your reply. But thats my problem, i am not allowed to open Port 50025 on outside ACL (Company Policy).

From view of the outside world only port 25 have to be open for 192.168.0.1. But internally the server expects connections on port 50025.

Do you understand my problem?

Best Regards

Ayhan

Spooster IT Services · ‎09-21-2017

For outside world, only port 25 is allowed for your public IP 1.1.1.1. If traffic is recieved for 1.1.1.1:50025 then ASA simply drop the traffic. So only port 25 is allowed for your Public IP form outside.

Spooster IT Services Team

Ayhan Guec · ‎09-21-2017

Thats correct :)

Outside world communicate with 1.1.1.1:25

But Server inside expects 192.168.0.1:50025.

NAT operations take place before the packet is dispatched from outside interface to dmz interface. So i have to open port 50025 on outside ACL in my actual configuration. But this is prohibited to me :(

Ayhan Guec · ‎09-22-2017

Problem solved:

I didnt noticed that there was also an object-nat on the private adress which automatically opens port on global adress on outside interface.

After deleting object NAT from 192.168.0.1 to 1.1.1.1 i can add port 50025 to my outside ACL and the global adress 1.1.1.1 is only reachable through port 25 and not 50025.