Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5026
Views
0
Helpful
3
Replies

PAT on ASA 5508X not working as expected

Go to solution
Jesserony
Level 1
Level 1

‎09-24-2020 09:00 AM

Hello,

I have a block of static IP addresses, and am attempting to configure NAT on an ASA 5508X, where two servers are sharing one IP address. One is an exchange server and just needs SMTP, and the other just needs http/https. With the NAT configuration below, SMTP is working for the Exchange server, but cannot access the ADFS server via http. If i disable the Exchange server NAT rule, i can then access the ADFS server via http.

Also, when i configure these rules it warns me that the IP address overlaps, which of course makes sense... however, the way ive been understaning (and works fine on an ASA 5516X we have) is that with the NAT rules being processed sequentially, an http request from Outside would hit the http/https NAT rules for ADFS and go to the ADFS server, and anything else would go to the SMTP server.

Could someone take a look? Below is what i think the relevant parts of the config. Let me know if you need the whole thing.

Thanks!
Jesse

!
!
!
object network Server_Exch_ADFS_Outside
host xxxx
object network Server_Exch01-Test
host xxxx
object network Server_ADFS-LAB
host xxxx
!
object service https
service tcp destination eq https
object service http
service tcp destination eq www
object service SMTP
service tcp source eq smtp destination eq smtp
!
access-list outside_access_in_2 extended permit object-group http-all any object Server_ADFS-LAB
access-list outside_access_in_2 extended permit tcp any object Server_Exch01-Test eq smtp
access-list outside_access_in_2 extended permit icmp any4 any4
access-list outside_access_in_2 extended deny ip any any
!
nat (inside,outside) source static Server_ADFS-LAB Server_Exch_ADFS_Outside service https https inactive
nat (inside,outside) source static Server_ADFS-LAB Server_Exch_ADFS_Outside service http http inactive
nat (inside,outside) source static Server_Exch01-Test Server_Exch_ADFS_Outside
!
!
!

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎09-24-2020 10:31 AM

You are right, it should be sequentially top-down. But is that really your complete NAT-config?

 

I would configure it with object-NAT:

object network Server_Exch01-Test-TCP25
 nat (inside,outside) static Server_Exch_ADFS_Outside service tcp 25 25
object network Server_ADFS-LAB-TCP80
 nat (inside,outside) static Server_Exch_ADFS_Outside service tcp 80 80
object network Server_ADFS-LAB-TCP443
 nat (inside,outside) static Server_Exch_ADFS_Outside service tcp 443 443

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Karsten Iwen
VIP
VIP

‎09-24-2020 10:31 AM

You are right, it should be sequentially top-down. But is that really your complete NAT-config?

 

I would configure it with object-NAT:

object network Server_Exch01-Test-TCP25
 nat (inside,outside) static Server_Exch_ADFS_Outside service tcp 25 25
object network Server_ADFS-LAB-TCP80
 nat (inside,outside) static Server_Exch_ADFS_Outside service tcp 80 80
object network Server_ADFS-LAB-TCP443
 nat (inside,outside) static Server_Exch_ADFS_Outside service tcp 443 443
0 Helpful

Go to solution
Jesserony
Level 1
Level 1
In response to Karsten Iwen

‎09-25-2020 07:24 AM

Hi Karsten, Thank you for the response and suggestion. You are correct that was not the complete NAT config, just what i thought relevant. The full config below.

 

This might be a silly question, but with the config lines you suggested, how would the ASA know to associate Server_ADFS-LAB-TCP80 and Server_ADFS-LAB-TCP443 with the local IP address of the actual ADFS Lab server, 192.168.x.x ?

 

Current full NAT config:

 

nat (inside,outside) source static Server_ADFS-LAB Server_Exch_ADFS_Outside service https https inactive
nat (inside,outside) source static Server_ADFS-LAB Server_Exch_ADFS_Outside service http http inactive
nat (inside,outside) source static Server_Exch01-Test Server_Exch_ADFS_Outside
nat (inside,outside) source static Server_IPSearch-Test Server_IPSearch-Test-Outside
nat (inside,outside) source static Server_Web02-Test Server_Web02-Test-Outside
nat (inside,outside) source static Server_Web01-Test Server_Web01-Test-Outside
nat (inside,outside) source static Test-Minneapolis Test-Minneapolis destination static vpn_clients vpn_clients no-proxy-arp route-lookup
!
nat (inside,outside) after-auto source dynamic any interface
nat (guest,outside) after-auto source dynamic any interface

 

Thanks again,

Jesse

 

 

0 Helpful

Go to solution
Jesserony
Level 1
Level 1

‎12-17-2020 07:58 AM

Hi Karsten,

 

We got it figured out - turns out my home ISP blocks outgoing port 25, so it was my test that was wrong. Tested it from a business class circuit and it worked fine. Your object NAT suggestion worked fine once we figured out the real problem. Thank you!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card