Solved: Re: NAT OUT EXCHANGE SERVER

Jesutofunmi O · ‎09-15-2018

Hello Guys,

I have two IPs from my ISP. Only one is working now, connected to the outside interface of my ASA. I have tried to configure a static NAT to my Exchange Server all to no avail. I tried it with a web server and it worked just fine. How do I NAT out an exchange server with ASA FW 5515-x

Martin Carr · ‎09-18-2018

For you to achieve what you want you need three NAT statements, which you have.

However, what you have done is use the same statements for the same network object, which is effectively just changing it (as you found).

You would need three network objects, i.e. Exchange443 etc.

Then create those statements using the respective service, so port 443 (HTTPS) in this example.

Network objects are always used within the ASA, the reason being is a change on an object will change it everywhere it's used.

Martin

View solution in original post

paul driver · ‎09-15-2018

Hello

static nat (inside,outside) pubilc ip private ip netmask 255.255.255.255

or

static nat (inside,outside) tcp (public ip) http ( private ip) http 255.255.255.255

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎09-15-2018

Hello,

in addition to Paul's post, make sure you have TCP ports 80/110/143/443/587/993/995 in your access list and in your NAT statements. Also, if you are using after-auto, make sure the static NAT entry is the first one.

Best to post your full config so we can check if anything is missing...

Jesutofunmi O · ‎09-15-2018

Hello Paul and Georg,

Thanks for the response. This is the config for the NAT;

object network Exchange_Server
nat (INSIDE,outside) static 1.1.1.2 service tcp 25 25
access-group ExchangeServerOutsideIn in interface outside

access-list ExchangeServerOutsideIn extended permit tcp any host 172.16.x.x

Jesutofunmi O · ‎09-15-2018

Georg,

If I am correct, what you are saying to do is this;

access-list ExchangeServerOutsideIn extended permit tcp any host 172.16.x.x eq 25

access-list ExchangeServerOutsideIn extended permit tcp any host 172.16.x.x eq 110

access-list ExchangeServerOutsideIn extended permit tcp any host 172.16.x.x eq 443

E.T.C

And for the NAT statement

nat (INSIDE,outside) static 1.1.1.2 service tcp 25

nat (INSIDE,outside) static 1.1.1.2 service tcp 443

nat (INSIDE,outside) static 1.1.1.2 service tcp 110

E.TC

Will I need to specify destination port too as in;

nat (INSIDE,outside) static 1.1.1.2 service tcp 25 25

nat (INSIDE,outside) static 1.1.1.2 service tcp 443 443

Jesutofunmi O · ‎09-15-2018

Paul,

Are you saying to do this please?

Public IP: 172.16.x.x

Private IP: 1.1.1.2

Hello

static nat (inside,outside) 1.1.1.2 172.16.x.x netmask 255.255.255.255

or

static nat (inside,outside) tcp 1.1.1.2 http 1.1.1.2 http 255.255.255.255

1. The address is accessible via https not HTTP.

2. Netmask of private IP is 255.255.255.0

What do you say please?

Georg Pauwen · ‎09-15-2018

Hello,

post the FULL configuration of your ASA...

Jesutofunmi O · ‎09-15-2018

Hi,

Please find attached.

Georg Pauwen · ‎09-16-2018

Hello,

the below should work. The access list needs to permit the real, not the translated address. For the sake of simplicity, I added network objects instead of host addresses:

object network inside_host
host 1.1.1.2
nat (inside,outside) static exchange_server service tcp www www
nat (inside,outside) static exchange_server service tcp pop3 pop3
nat (inside,outside) static exchange_server service tcp https https
!
object network exchange_server
host 172.16.x.x
!
access-list ExchangeServerOutsideIn extended permit tcp any object inside_host eq 25
access-list ExchangeServerOutsideIn extended permit tcp any object inside_host eq 110
access-list ExchangeServerOutsideIn extended permit tcp any object inside_host eq 443
!
access-group ExchangeServerOutsideIn in interface outside

Jesutofunmi O · ‎09-16-2018

Hello Georg and Paul,

I will do as advised and feedback accordingly.

Jesutofunmi

paul driver · ‎09-16-2018

Hello

the netmask would be 255.255.255.255 if ONLY it a static host to host mapping

HTTP was only an example of Port address translation - depending on what actual port you want to access the exchange server via.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Martin Carr · ‎09-17-2018

Paul has answered what you have asked.

However, I would add that allowing anyone to connect to those services greatly increases your service area of attack, you would also need an Anti-Spam solution.

If in budget (or could be budgeted for) I would recommend a smarthost, deployed in a DMZ or SaaS based.

Martin

Jesutofunmi O · ‎09-18-2018

Hey Guys,

So, I have done the configuration below and yet, no show. I initially thought my IP was the problem so I NAT'ed out one of my Webservers on a particular port and voila, just once, I could access it from the internet. Never even thought NAT-ting out Exchange will bring me here. Whichever ways, I am here and I'm yearning for a solution. I might eventually just DMZ it.

object network inside_host
host 1.1.1.2
nat (inside,outside) static exchange_server service tcp www www
nat (inside,outside) static exchange_server service tcp pop3 pop3
nat (inside,outside) static exchange_server service tcp https https
!
object network exchange_server
host 172.16.x.x
!
access-list ExchangeServerOutsideIn extended permit tcp any object inside_host eq 25
access-list ExchangeServerOutsideIn extended permit tcp any object inside_host eq 110
access-list ExchangeServerOutsideIn extended permit tcp any object inside_host eq 443
!
access-group ExchangeServerOutsideIn in interface outside

one of the issues with this line: *nat (inside,outside) static exchange_server service tcp https https*
is that it does not accept multiple protocols. For instance, if I try to add another NAT statement and use Pop3, it will remove HTTPs and replace it with POP3.

Paul,

Sorry if I come off a bit slow but I do not understand how to use this line

static nat (inside,outside) tcp (public ip) http ( private ip) http 255.255.255.255

Does it come in the body of an "object network"?
I have tried the command and the error is "unrecognized command".
My Full config is still attached up there somewhere, please review and advise. For clarity sake, please breakdown your config.

Martin Carr · ‎09-18-2018

That will be the case.

The way I do this is by creating individual network objects for the same network object and then NAT each one for the respective service, obviously each one will have to have a different (meaningful) name.

Re your command query, that syntax is incorrect.

Martin

Jesutofunmi O · ‎09-18-2018

Hey Martin,

I work with objects too. Easier working with them. Which syntax do you say is incorrect?
What's correct please?