Solved: Re: possible NAT?

lcaruso · ‎04-25-2013

I have a request to setup NAT for traffic outbound from a pair of internal Exchange servers.

Each sends from its own internal ip address and needs to NAT both to a single public ip.

If that was setup outbound, I don't see how incoming traffic to those servers could be handled.

Jouni Forss · ‎04-25-2013

Hi,

You could naturally use Dynamic PAT for the outbound translation.

For inbound traffics translation you could use Static PAT

But naturally if you wanted both of the servers reachable by the same port from the Internet then you would hit a wall.

You didnt quite state what ports each server would need to be reachable through Internet?

- Jouni

View solution in original post

Jouni Forss · ‎04-25-2013

Hi,

I guess that is a quote from somewhere? But doesnt really apply to this situation

If you had for example a situation where you had to forward HTTP to one server and SMTP to one server and also wanted them to always use the same public IP address wether the servers were connecting to "outside" or hosts connection to them from "outside" then you could have used this configuration

global (outside) 100 1.2.3.4

nat (inside) 100 10.10.10.10

nat (inside) 100 10.10.10.11

static (inside,outside) tcp 1.2.3.4 80 10.10.10.10 80 netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.4 25 10.10.10.11 25 netmask 255.255.255.255

The above text seems simply to refer to the general operation of the different NAT configuration types. Dynamic PAT enables connectivity from internal to external ONLY (+ naturally the return traffic). While Static NAT enables connection forming in from either side. This cant be used together in the way you describe since Static NAT overrides Dynamic PAT

However Static PAT and Dynamic PAT work togeter and doesnt rule eachother out.

I am not 100% sure on the exact requirements of your NAT but as I said if you wanted to use one single public IP address for all the NAT purposes you would run into problems with forwarding the ports from external to internal you would have to change the ports for other server.

However if its just important for the servers to be visible from the same public IP address to external network when they were initiating connections and the IP address to which people would connect from external could be different for both servers then the situation would naturally be totally different.

- Jouni

View solution in original post

Jouni Forss · ‎04-25-2013

Hi,

You could naturally use Dynamic PAT for the outbound translation.

For inbound traffics translation you could use Static PAT

But naturally if you wanted both of the servers reachable by the same port from the Internet then you would hit a wall.

You didnt quite state what ports each server would need to be reachable through Internet?

- Jouni

lcaruso · ‎04-25-2013

Good question. They didn't say anything about owa so I need to ask. Doubt if it is just smtp.

lcaruso · ‎04-25-2013

Don't think it's going to work w/o an internal load balancer to present a single ip address.

Here's what they are allowing through now to the server

port-object eq www

port-object eq https

port-object eq imap4

port-object eq pop3

port-object eq smtp

Jouni Forss · ‎04-25-2013

Hi,

If you need to forward those ports to both of the servers then I think that is not possible.

And somehow I think using different ports for other servers isnt really an option.

- Jouni

lcaruso · ‎04-25-2013

You can create a PAT translation from your internal host to the outside. So the ASA will use port address translation to send the traffic out, when a respond from the outside is coming back the ASA has a connection already open in the Stateful table so it will pass the traffic back to the internal host. PAT is unidirectional which means that you can initiate a connection only from the internal hosts to the outside and not vice versa.If you need a host outside to initiate a connection with one of the internal hosts it will be accomplish with an static one to one translation for each host since this translation is bidirectional.

Jouni Forss · ‎04-25-2013

Hi,

I guess that is a quote from somewhere? But doesnt really apply to this situation

If you had for example a situation where you had to forward HTTP to one server and SMTP to one server and also wanted them to always use the same public IP address wether the servers were connecting to "outside" or hosts connection to them from "outside" then you could have used this configuration

global (outside) 100 1.2.3.4

nat (inside) 100 10.10.10.10

nat (inside) 100 10.10.10.11

static (inside,outside) tcp 1.2.3.4 80 10.10.10.10 80 netmask 255.255.255.255

static (inside,outside) tcp 1.2.3.4 25 10.10.10.11 25 netmask 255.255.255.255

The above text seems simply to refer to the general operation of the different NAT configuration types. Dynamic PAT enables connectivity from internal to external ONLY (+ naturally the return traffic). While Static NAT enables connection forming in from either side. This cant be used together in the way you describe since Static NAT overrides Dynamic PAT

However Static PAT and Dynamic PAT work togeter and doesnt rule eachother out.

I am not 100% sure on the exact requirements of your NAT but as I said if you wanted to use one single public IP address for all the NAT purposes you would run into problems with forwarding the ports from external to internal you would have to change the ports for other server.

However if its just important for the servers to be visible from the same public IP address to external network when they were initiating connections and the IP address to which people would connect from external could be different for both servers then the situation would naturally be totally different.

- Jouni

lcaruso · ‎04-25-2013

The quote is from TAC as I opened a case with them from this thread. I appreciate your discussion. Thanks.