Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
560
Views
0
Helpful
3
Replies

Regarding NAT in ASA5505

mukundh86
Level 1
Level 1

‎05-06-2011 11:06 AM - edited ‎03-11-2019 01:30 PM

Hi all

I have an ASA  5505 and I have attached the configuration (with dummy public IPs) here.

I have  a problem in regards to NATTING.  The requirement is that port for smtp and https and port number 3389 should be statically natted from 192.168.1.2 to 1.1.1.3 and it has been done as follows

static (inside,outside) tcp 1.1.1.3 3389 192.168.1.2 3389 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.3 smtp 192.168.1.2 smtp netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.3 https 192.168.1.2 https netmask 255.255.255.255

But when some one tries to send a mail from the internal network , some domains are rejecting their mails , because those domains are doing a reverse look up and find that the mail domain of the sender is pointed to 1.1.1.2 which is the outside interface of firewall. I believe the static natting is not at all functioning properly as it should 192.168.1.2 to 1.1.1.3 for smtp. Again, I have attached the whole configuration for your reference.

It would be great if someone helps me out with this.

Labels:
85898-asaskandia.zip
0 Helpful
3 Replies 3

Roman Rodichev
Level 7
Level 7

‎05-06-2011 12:31 PM

that static NAT is translating inbound traffic TO the SMTP port 25. When your mail server sends outbound mail, it doesn't hit that static nat rule because it's coming from a non-SMTP ephemeral (>1024) port. What you need to also do is configure dynamic NAT for your mail server:

global (outside) 100 1.1.1.3

nat (inside) 100 192.168.1.2 255.255.255.255

the other option is to setup your domain's DNS SPF record to point to 1.1.1.2

Regards,

Roman

0 Helpful

mukundh86
Level 1
Level 1
In response to Roman Rodichev

‎05-07-2011 07:32 PM

Thank you Roman

I will try the commands you gave. Do i need to do a "clear xlate" to get the new translation up and running?

Also out of curiousity , if i replace the three static statements with

static (inside,outside) 12.234.183.252 192.168.1.2 netmask 255.255.255.255

will it work with this change?

Thanks

Mukundh

0 Helpful

Roman Rodichev
Level 7
Level 7
In response to mukundh86

‎05-07-2011 08:21 PM

Yes, you will need to do a "clear xlate". You can run it for a specific local IP of your mail server, "clear xlate local x.x.x.x"

Yes, good call, if you use that static nat line instead, you will also reach your goal.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card