Solved: Static PAT

estelamathew · ‎12-18-2010

Hello,

I have a problem with static PAT when i specify with two ports HTTPS and SMTP for 2 different servers with 1 public IP it does'nt work for SMTP but it only works for HTTPS.

Below are the commands:

static (DMZ1,outside) tcp X.154.25.X https 172.16.1.5 https netmask 255.255.255.255
static (DMZ1,outside) tcp X.154.25.X smtp 172.16.1.2 smtp netmask 255.255.255.255

Access-list outside permit ip any any

access-group outside in interface outside

IOS version is 8.2(1)

Thanks,

Federico Coto Fajardo · ‎12-18-2010

Sure Estela,

This is what I'm saying.

Probably the easiest way to go is just enable logs:

logging on

logging buffered 7

Then, having the static 1-1 command, connect the SMTP.

The logs will show which ports are used in the transaction.

I'm pretty sure that SMTP is indeed reaching the ASA and redirected to the internal IP but there's another required port not being forwared and that's why it does not work.

For the ACL:

access-list outside deny ip any any log

This will log all packets for a moment (be aware that this will break all communication through the ASA, you should have a console access to do thisto be on the safe side and traffic will be interrupted)

The ''show log'' will show the transactions being denied.

For the capture:

capture SMTP interface outside match tcp host SOURCE_IP host PUBLIC_IP

Where SOURCE_IP is the IP where the SMTP connection originates and PUBLIC_IP is the public IP on the static NAT.

Federico.

View solution in original post

Federico Coto Fajardo · ‎12-18-2010

For the ACL you could be more specific to avoid breaking any non-related thing.

Instead of:

access-list outside deny ip any any log

Can do:

access-list outside deny ip any host PUBLIC_IP log

Federico.

View solution in original post

praprama · ‎12-20-2010

Hi,

When redirecting just port TCP/25, do you se any syslogs for dropped packets on the ASA? I am unable to open the attachment so apologies if i am asking something already in there.

Thanks and Regards,

Prapanch

View solution in original post

Kureli Sankar · ‎12-31-2010

Estela,

This is very interesting.

Here is an action plan:

1. remove the static 1-1 nat if you have it

2. add both the static pat lines and make sure the outside acl has permission for both 25 and 443 before any denies.

3. clear local 172.16.1.2 and clear local 172.16.1.5

4. Now apply the following captures.

cap capin int dmz1 match tcp any host 172.16.1.2 eq 25

cap capin int dmz1 match tcp any host 172.16.1.5 eq 443

cap capout int outside match tcp any ho 85.154.250.45 eq 25

cap capout int outside match tcp any ho 85.154.250.45 eq 443

cap cap-asp type asp-drop all

5. Do your test from the outside and save all three captures

https://ip_address_of_asa/capture/capin/pcap

https://ip_address_of_asa/capture/capout/pcap

https://ip_address_of_asa/capture/capasp/pcap

Since the problem has been going on since Dec 18th, I'd suggest opening a TAC case and include sh tech, syslogs and all the captures.

-KS

View solution in original post

Federico Coto Fajardo · ‎12-18-2010

Hi,

The port forwarding should work for almost any TCP application.

One thing that you can do to check if the SMTP traffic is reaching the ASA is create an ACL.

clear config access-list outside

access-list outside permit tcp any host x.x.x.x eq 80

access-list outside permit tcp any host x.x.x.x eq 25

access-list outside permit ip any any

access-group outside in interface outside

In this way when sending SMTP traffic you should see hitcounts on the ACL (show access-list outside).

Hope it helps.

Federico.

estelamathew · ‎12-18-2010

Hello federico

when i use

static (DMZ1,outside) X.154.250.X 172.16.1.2 netmask 255.255.255.255

it works fine ,but when i change to use 1 public IP with different ports it doesn't work.Mail's are flowing very well by the above command i dont think so i need to create access-list.

Thanks

Federico Coto Fajardo · ‎12-18-2010

Estela,

When you use the static command without ports you are redirecting all IP traffic from the public IP to the private one and vice versa.

When you're doing TCP ports, then only that single port is being redirected.

I will say that the fact that it won't work when specifying SMTP to be redirected, it's because the traffic is not coming on port 25 or other ports are required for the communication to work.

You can do any of this:

You can check the logs on the ASA to see which ports are being used for this communication and redirect on those ports (add them to the static PAT), so that it will work.

Can capture the packets from the remote IP to the public IP to check the ports used.

Can create a deny ip host x.x.x.x to see which ports are being denied.

Federico.

estelamathew · ‎12-18-2010

hello Federico,

As u mentioned how can i do the below.

Can capture the packets from the remote IP to the public IP to check the ports used.

Can create a deny ip host x.x.x.x to see which ports are being denied.

Thanks

Federico Coto Fajardo · ‎12-18-2010

Sure Estela,

This is what I'm saying.

Probably the easiest way to go is just enable logs:

logging on

logging buffered 7

Then, having the static 1-1 command, connect the SMTP.

The logs will show which ports are used in the transaction.

I'm pretty sure that SMTP is indeed reaching the ASA and redirected to the internal IP but there's another required port not being forwared and that's why it does not work.

For the ACL:

access-list outside deny ip any any log

This will log all packets for a moment (be aware that this will break all communication through the ASA, you should have a console access to do thisto be on the safe side and traffic will be interrupted)

The ''show log'' will show the transactions being denied.

For the capture:

capture SMTP interface outside match tcp host SOURCE_IP host PUBLIC_IP

Where SOURCE_IP is the IP where the SMTP connection originates and PUBLIC_IP is the public IP on the static NAT.

Federico.

Federico Coto Fajardo · ‎12-18-2010

For the ACL you could be more specific to avoid breaking any non-related thing.

Instead of:

access-list outside deny ip any any log

Can do:

access-list outside deny ip any host PUBLIC_IP log

Federico.

estelamathew · ‎12-18-2010

Hello Federico,

Very Nice explanation, i will apply tomorrow and i will reply

I hope the below also can help.

access-list abc permit tcp host any

capture cpz access-lst abc interface DMZ.

Thanks

estelamathew · ‎12-19-2010

Hello Federico,

Public IP is 85.154.250.45

Real IP is 172.16.1.2

1) I have applied the below command for DMZ1 interface where mail server is connected on DMZ and the attached file named "DMZ1" belongs to this capture

capture cde interface DMZ1 match tcp host 172.16.1.2 any

I have applied the below command for outside interface where traffic is hitting for mail server and the attached 2 file's named OUTSIDE belongs to this capture.

capture abc interface outside match tcp any host 85.154.250.45,

2) Also i tried by access-list outside deny ip any any and captured the logging,

PLEASE HAVE A LOOK ON ATTACHED FILES AND PLEASE SUGGEST,

3) Federico if u say that there must be some port allowed with smtp then how it is working with the below command with only smtp allowed in outside access-list.

static (DMZ1,outside) 85.154.250.45 172.16.1.2 netmask 255.255.255.255

Thanks

estelamathew · ‎12-20-2010

Hello,

Any hints friends i m waiting for experts suggestion.

Thanks

praprama · ‎12-20-2010

Hi,

When redirecting just port TCP/25, do you se any syslogs for dropped packets on the ASA? I am unable to open the attachment so apologies if i am asking something already in there.

Thanks and Regards,

Prapanch

estelamathew · ‎12-27-2010

Hello Prapanch,

Attached are the logs!

Thanks.

Kureli Sankar · ‎12-27-2010

Estela,

The logs show the following:

Dec 19 2010 20:53:09: %ASA-4-106023: Deny tcp src outside:85.158.139.163/21716 dst DMZ1:85.154.250.45/25 by access-group "acl-outside"
Dec 19 2010 20:54:09: %ASA-4-106023: Deny tcp src outside:85.158.139.163/22427 dst DMZ1:85.154.250.45/25 by access-group "acl-outside"
Dec 19 2010 20:57:57: %ASA-4-106023: Deny tcp src outside:85.158.139.211/35721 dst DMZ1:85.154.250.45/25 by access-group "acl-outside"
Dec 19 2010 20:58:20: %ASA-4-106023: Deny tcp src outside:85.158.143.51/32943 dst DMZ1:85.154.250.45/25 by access-group "acl-outside"
Dec 19 2010 20:58:32: %ASA-4-106023: Deny tcp src outside:85.158.143.51/33255 dst DMZ1:85.154.250.45/25 by access-group "acl-outside"

It see that the flow is not allowed in the acl-outside. 443 isn't allowed either.

%ASA-4-106023: Deny tcp src outside:82.178.104.237/46502 dst DMZ1:85.154.250.45/443 by access-group "acl-outside"

Make sure the acl has permission.

conf t

access-list acl-outside line 1 permit tcp any host 85.154.250.45 eq 443

access-list acl-outside line 2 permit tcp any host 85.154.250.45 eq 25

Try again and let us know.

-KS

estelamathew · ‎12-31-2010

Hello Sankar,

Very lucky to see replies from all experts uptill now, Thanks,

As per Federico in previous mail.

For the ACL:

access-list outside deny ip any any log

This will log all packets for a moment (be aware that this will break all communication through the ASA, you should have a console access to do thisto be on the safe side and traffic will be interrupted)

The ''show log'' will show the transactions being denied.

Sankar I have done the above as per hint by federico,i have seen https and smtp getting drop when i deny everything on outside access-list, BUT the goal is to figure out why it is not working with the below static PAT command,when SMTP is permitted in access-list.

static (DMZ1,outside) tcp 85.154.250.45 smtp 172.16.1.2 smtp netmask 255.255.255.255

2) When i apply the below command it is working fine even though HTTPS is blocked ,the flow of mail are streaming.

static (DMZ1,outside) 85.154.250.45 172.16.1.2 netmask 255.255.255.255

access-list acl-outside extended permit tcp any host 85.154.250.45 eq smtp

Thanks

Kureli Sankar · ‎12-31-2010

Estela,

This is very interesting.

Here is an action plan:

1. remove the static 1-1 nat if you have it

2. add both the static pat lines and make sure the outside acl has permission for both 25 and 443 before any denies.

3. clear local 172.16.1.2 and clear local 172.16.1.5

4. Now apply the following captures.

cap capin int dmz1 match tcp any host 172.16.1.2 eq 25

cap capin int dmz1 match tcp any host 172.16.1.5 eq 443

cap capout int outside match tcp any ho 85.154.250.45 eq 25

cap capout int outside match tcp any ho 85.154.250.45 eq 443

cap cap-asp type asp-drop all

5. Do your test from the outside and save all three captures

https://ip_address_of_asa/capture/capin/pcap

https://ip_address_of_asa/capture/capout/pcap

https://ip_address_of_asa/capture/capasp/pcap

Since the problem has been going on since Dec 18th, I'd suggest opening a TAC case and include sh tech, syslogs and all the captures.

-KS