09-10-2014
08:02 AM
- last edited on
02-21-2020
11:25 PM
by
cc_security_adm
I have the following topology:
mail server --- swcore --(inside) << >> ASA (outside) --- ISP border router
should perform the following nat on the handle of a mail server 10.0.3.41 to 200.x.x.182
I have the following configuration on the ASA:
object-group service SERVICES
service-object tcp-udp eq 7001
service-object tcp eq ssh
service-object tcp-udp eq 25
service-object tcp-udp eq 26
service tcp-udp-object eq 993
service tcp-udp-object eq 109
service tcp-udp-object eq 110
service tcp-udp-object eq 143
service tcp-udp-object eq 220
service tcp-udp-object eq 465
service tcp-udp-object eq 468
service tcp-udp-object eq 587
service tcp-udp-object eq 995
service tcp-udp-object eq www
service-object tcp-udp eq domain
service-object tcp-udp eq 8080
service-object tcp-udp eq 8443
service-object tcp eq https
service tcp-udp-object eq 135
service-object tcp eq 135
service-object tcp-udp eq 7777
service-object tcp-udp eq 8090
service-object tcp eq ftp
service-object tcp eq ftp-data
service-object udp eq ntp
service-object tcp eq sqlnet
service-object tcp eq 3389
access-list outside extended permit object-group SERVICES any host 200.x.x.182
access-list inside extended permit object-group SERVICES host 10.0.3.41 any
access-group outside in interface outside
access-group inside in interface inside
static (inside,outside) tcp 200.x.x.182 smtp 10.0.3.41 smtp netmask 255.255.255.255
global (outside) 1 interface
nat (inside) 1 10.0.0.0 255.0.0.0
Sniffer was performed interface that goes to the core sw to int inside ASA, and effectively SMTP packets are received from 10.0.3.41 which is the mail server.
When you execute a "sh nat" does tells you match the .41 port 25 to 200.xx182
But when you check the header of the emails sent outside the domain appears the IP address is 200.xx178 with which it is performed the nat for internet company.
For some reason it is entering the nat
global (outside) 1 interface
And I do not understand because if I can see the sh nat does match the static nat.
border router does not perform any function nat actually execute sh ip nat trans and nothing display.
Thanks.
09-10-2014 08:51 AM
The static NAT only works for incoming SMTP, not for outgoing. If you want that all outbound traffic from the mailserver is NATted to .182, you should change your static to the following:
static (inside,outside) 200.x.x.182 10.0.3.41 netmask 255.255.255.255
This NAT-statement will work inbound and outbound.
09-10-2014 09:01 AM
But I can see the "sh nat":
match tcp inside host 10.0.3.41 eq 25 outside any
static translation to 200.x.x.182/25
translate_hits = 0, untranslate_hits = 26617
But when you check the header of the emails sent outside t appears the IP address is 200.xx178 (nat of internet)
I just need that traffic is NATed smtp mail server because there are other IP addresses server using the same public IP address, so we performed the PAT.
09-10-2014 09:15 AM
> But I can see the "sh nat":
You see the translation that is used for incoming SMTP. It is only defined for traffic where TCP/25 is on your side. When you send mail, TCP/25 is used as the destination-port and your local port is a random port-number. That won't match your static.
If you can't translate the IP completely for the mail-server, you can configure an extra dynamic PAT for the server:
nat (inside) 2 10.0.3.41 255.255.255.255
global (outside) 2 200.x.x.182
The NAT-ID "2" has to be a free ID in your remaining NAT-config.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide