Solved: Hi,thanks for your time and

Juan Pablo Hidalgo Villacres · ‎05-26-2014

Hi,

I have a 5515 ASA, with this configuration

outside interface
X.X.X.1/24

dmz interface
192.168.1.1/24

object network SMTP_SERVER
host 192.168.1.3

object network obj-X.X.X.2
host X.X.X.2

----

i would like to know if this NAT configuration:

object network SMTP_SERVER
nat (dmz,outside) static interface service tcp smtp smtp

is the same as this:

nat (dmz,outside) source static SMTP_SERVER obj-X.X.X.2 service 25 25

----

for my understanding the first one is for "publish a service to the internet", a host outside would be able to access the smtp service on the host smtp_server in the dmz... and the second config is for allowing the smtp_server to go outside with the IP obj-X.X.X.2...

is my understanding ok?. or at the end both configurations allow the same,,

i am asking this because i have several servers on the dmz segment that needs to be accesed from the internet (outside), i assume i must create several object and configurations as the first one.

suppose the acls are permiting everthing..

thanks for your help,

regards,

Marius Gunnerud · ‎05-27-2014

is my understanding ok?. or at the end both configurations allow the same,,

Basically the configuration will produce the same outcome, but there are a few differences though. the first and most obvious is that your second statement will be translating the server IP to x.x.x.2 instead of x.x.x.1 which is your outside interface (as per your explanation above).

second, and the most important to remember is that the second nat statement is what is refered to as manual NAT and will be executed before the object nat and the after-auto nat.

object nat:

object network SMTP_SERVER
nat (dmz,outside) static interface service tcp smtp smtp

manual nat:

nat (dmz,outside) source static SMTP_SERVER obj-X.X.X.2 service 25 25

So, even if you have a NAT statement in the object NAT (aka auto nat) or in the after-auto NAT that matches the SMTP-SERVER object and SMTP port, this will never match as it will be matched only on the manual NAT.

Just to add my opinion, I would put all NAT configuration in the auto-nat section and only have very specific NAT statements in the manual NAT section...for example twice NAT.

Hope I made that clear.

--

Please remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎05-28-2014

Hi,

Well, the main reason for mainly using the auto NAT is that it is best practice. It is when you need to take the destination address into account that manual NAT comes into play. With manual NAT you can specify the destination address aswell as translate the destination address if needed. Ofcourse it is up to you if you prefer to use manual NAT rather than auto NAT, there is nothing wrong with doing that, but I feel troubleshooting becomes easier when they are seperate. Keep the very complicated stuff in manual NAT and the rest in auto. But as I said this all depends on whatyou are comfortable with and of course your companies policies.

--

Please remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎05-27-2014

is my understanding ok?. or at the end both configurations allow the same,,

Basically the configuration will produce the same outcome, but there are a few differences though. the first and most obvious is that your second statement will be translating the server IP to x.x.x.2 instead of x.x.x.1 which is your outside interface (as per your explanation above).

second, and the most important to remember is that the second nat statement is what is refered to as manual NAT and will be executed before the object nat and the after-auto nat.

object nat:

object network SMTP_SERVER
nat (dmz,outside) static interface service tcp smtp smtp

manual nat:

nat (dmz,outside) source static SMTP_SERVER obj-X.X.X.2 service 25 25

So, even if you have a NAT statement in the object NAT (aka auto nat) or in the after-auto NAT that matches the SMTP-SERVER object and SMTP port, this will never match as it will be matched only on the manual NAT.

Just to add my opinion, I would put all NAT configuration in the auto-nat section and only have very specific NAT statements in the manual NAT section...for example twice NAT.

Hope I made that clear.

--

Please remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts

Juan Pablo Hidalgo Villacres · ‎05-27-2014

Hi,

thanks for your time and explanation!!,

for me it is clear, i only have one question, and it's about your opinion, why do you consider to put all nat configuration in the auto-nat section and very specific nat in the manual section?, ..

For me it is easiest to configure nat in the auto-nat section, but that's me, maybe you have another reason for do that, hope you could share it with me..

regards,

Marius Gunnerud · ‎05-28-2014

Hi,

Well, the main reason for mainly using the auto NAT is that it is best practice. It is when you need to take the destination address into account that manual NAT comes into play. With manual NAT you can specify the destination address aswell as translate the destination address if needed. Ofcourse it is up to you if you prefer to use manual NAT rather than auto NAT, there is nothing wrong with doing that, but I feel troubleshooting becomes easier when they are seperate. Keep the very complicated stuff in manual NAT and the rest in auto. But as I said this all depends on whatyou are comfortable with and of course your companies policies.

--

Please remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts

Juan Pablo Hidalgo Villacres · ‎05-28-2014

Hi,

thanks for your help and for sharing your thoughts!!!

regards,

Question about NAT