Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
990
Views
0
Helpful
4
Replies

NAT/PAT - SMTP IP address

Go to solution
Jesserony
Level 1
Level 1

‎11-24-2020 11:08 AM

We are attempting to perform PAT on two servers. One server is to have http/https access from the outside, the other, SMTP. A requirement for the SMTP server is that its IP address on outgoing mail needs to be that of the outside IP it is NAT’d to. However, this is not happening when we apply a standard static NAT/PAT configuration.

 

This configuration was initially requested for server ADFS-lab (http/https) and Exch01-Test (SMTP) to be translated to outside IP x.x.x.42. It was not working at all using static NAT, and after posting on Cisco community forums asking for initial advice, was suggested to use Object NAT rather than Static.

 

Doing it this way only appears to work when ADFS-Lab is PAT’d for http/https, and Exch01-Test PAT’d for Any (instead of SMTP as we would think). If we don’t PAT Exch01 for Any service, the IP the email is sent from is x.x.x.41, while it needs to be x.x.x.42

 

The other problem with this is that NAT rules are processed in sequence, and it is nearly impossible to control the sequence when using object NAT.

 

As of right now the above is working, but using object NAT, and Any service for Exch01-Test is suboptimal.

 

Does anyone know the proper way to do this?

 

Working config with object NAT rules:

object network Server_Exch_ADFS_Outside
host x.x.x.42
object network Server_Exch01-Test
host 192.168.154.175


object service https
service tcp destination eq https
object service http
service tcp destination eq www
object service SMTP
service tcp source eq smtp destination eq smtp
object network Server_ADFS-LAB-TCP80
host 192.168.153.206
object network Server_ADFS-LAB-TCP443
host 192.168.153.206


nat (inside,outside) source static Server_IPSearch-Test Server_IPSearch-Test-Outside
nat (inside,outside) source static Server_Web02-Test Server_Web02-Test-Outside
nat (inside,outside) source static Server_Web01-Test Server_Web01-Test-Outside
nat (inside,outside) source static Test-Minneapolis Test-Minneapolis destination static vpn_clients vpn_clients no-proxy-arp route-lookup
!
object network Server_Exch01-Test
nat (any,any) static Server_Exch_ADFS_Outside
object network Server_ADFS-LAB-TCP80
nat (inside,outside) static Server_Exch_ADFS_Outside service tcp www www
object network Server_ADFS-LAB-TCP443
nat (inside,outside) static Server_Exch_ADFS_Outside service tcp https https
!
nat (inside,outside) after-auto source dynamic any interface
nat (guest,outside) after-auto source dynamic any interface

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP

‎11-24-2020 12:37 PM - edited ‎11-24-2020 12:37 PM

Hello,

 

have you tried the below ?

 

object network ADFS-HTTP
host 192.168.253.206
nat (inside,outside) static x.x.x.42 service tcp 80 80
!
object network ADFS-HTTPS
host 192.168.153.206
nat (inside,outside) static x.x.x.42 service tcp 443 443
!
object network EXCH-SMTP
host 192.168.154.175
nat (inside,outside) static x.x.x.42 service tcp 25 25

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Georg Pauwen
VIP
VIP

‎11-24-2020 12:37 PM - edited ‎11-24-2020 12:37 PM

Hello,

 

have you tried the below ?

 

object network ADFS-HTTP
host 192.168.253.206
nat (inside,outside) static x.x.x.42 service tcp 80 80
!
object network ADFS-HTTPS
host 192.168.153.206
nat (inside,outside) static x.x.x.42 service tcp 443 443
!
object network EXCH-SMTP
host 192.168.154.175
nat (inside,outside) static x.x.x.42 service tcp 25 25

0 Helpful

Go to solution
Jesserony
Level 1
Level 1
In response to Georg Pauwen

‎11-25-2020 07:06 AM - edited ‎11-25-2020 07:13 AM

Thanks Georg, I gave that a try this morning, with a new PAT request. I know the web server is working and ACL's in place are working, - if i configure the web server with a Manual NAT for service Any, i am able to access it from the outside.

 

object network WEB01-TEST-HTTP
host 192.168.154.173
nat (inside,outside) static x.x.x.43 service tcp 80 80
!
object network WEB01-TEST-HTTPS
host 192.168.154.173
nat (inside,outside) static x.x.x.43 service tcp 443 443
!
object network EXCH01-CL-SMTP
host 192.168.153.175
nat (inside,outside) static x.x.x.43 service tcp 25 25

 

and it still does not work... below is the result of "show nat" with the above added. The newly added objects in red, the existing and currently working setup for the other set of servers mentioned in the original post is in green.

 

 

 

MN-ITP-ASA# sho nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static Server_IPSearch-Test Server_IPSearch-Test-
Outside
translate_hits = 4179, untranslate_hits = 17557
2 (inside) to (outside) source static Server_Web02-Test Server_Web02-Test-Outsid
e
translate_hits = 56171, untranslate_hits = 19071
3 (inside) to (outside) source static Server_Web01-Test Server_Web01-Test-Outsid
e inactive
translate_hits = 0, untranslate_hits = 0
4 (inside) to (outside) source static Test-Minneapolis Test-Minneapolis destina
tion static vpn_clients vpn_clients no-proxy-arp route-lookup
translate_hits = 101990, untranslate_hits = 102374
5 (inside) to (outside) source static Server_Exch01-CL Server_Exch01CL-Web01-Tes
t-Outside inactive
translate_hits = 0, untranslate_hits = 0
6 (inside) to (outside) source static Server_Web01-Test Server_Exch01CL-Web01-Te
st-Outside service TCP443 TCP443 inactive
translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static EXCH01-CL-SMTP x.x.x.43 service tcp
smtp smtp
translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source static Server_ADFS-LAB-TCP443 Server_Exch_ADFS_Ou
tside service tcp https https
translate_hits = 0, untranslate_hits = 15867
3 (inside) to (outside) source static Server_ADFS-LAB-TCP80 Server_Exch_ADFS_Out
side service tcp www www
translate_hits = 0, untranslate_hits = 2569
4 (inside) to (outside) source static WEB01-TEST-HTTP x.x.x.43 service tc
p www www
translate_hits = 0, untranslate_hits = 11
5 (inside) to (outside) source static WEB01-TEST-HTTPS x.x.x.43 service t
cp https https
translate_hits = 0, untranslate_hits = 69
6 (any) to (any) source static Server_Exch01-Test Server_Exch_ADFS_Outside
translate_hits = 5078, untranslate_hits = 20282

Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic any interface
translate_hits = 124099, untranslate_hits = 14042
2 (guest) to (outside) source dynamic any interface
translate_hits = 18073, untranslate_hits = 4184

 

 

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to Jesserony

‎11-25-2020 07:55 AM

Hello,

 

odd. What if you remove all NAT statements and leave just the three I suggested ?

0 Helpful

Go to solution
Jesserony
Level 1
Level 1
In response to Georg Pauwen

‎12-17-2020 07:54 AM

Hi George,

 

We got it figured out - turns out my home ISP blocks outgoing port 25, so it was my test that was wrong. Tested it from a business class circuit and it worked fine. Your object NAT suggestion worked fine once we figured out the real problem. Thank you!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card