01-23-2012 09:51 PM - edited 03-04-2019 03:00 PM
Hi Dears.
we have a problem. we have a router which performs NAT, and behind router we have ASA. in inside we have a server(webmail server). we need requests which come to our outside interface with port number 9000 convert to server ip with port number 443.
i copy my router and asa configuration here. at my router two ISP configurated. all them are working.
how i do requests which come to our outside interface with port number 9000 convert to server ip(192.168.10.7) with port number 443. my webmail server ip address 192.168.10.7. and i do static nat but it is not working.how i do??
ip nat inside source static 192.168.10.7 x.x.x.12 route-map MAIL-Server
ip nat inside source static 192.168.10.7 85.x.x.116 route-map MAIL-Server1
!
redundancy
!
!
track timer interface 5
!
track 1 interface GigabitEthernet0/0 line-protocol
!
track 2 ip sla 1 reachability
delay down 15 up 10
!
track 3 ip sla 2 reachability
delay down 15 up 10
!
!
!
!
crypto dynamic-map dynmap 10
reverse-route
!
!
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
!
interface GigabitEthernet0/0.116
description connected to ISP1
encapsulation dot1Q 116
ip address x.x.x.10 255.255.255.248
ip nat outside
ip virtual-reassembly
!
interface GigabitEthernet0/0.859
description connected to ISP2
encapsulation dot1Q 859
ip address x.x.x.114 255.255.255.240
ip nat outside
ip virtual-reassembly
!
interface GigabitEthernet0/1
description INSIDE
ip address 172.25.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map Classify
duplex auto
speed auto
standby 1 ip 172.25.10.3
standby 1 priority 110
standby 1 preempt
standby 1 track 1 decrement 20
!
!
ip forward-protocol nd
ip forward-protocol udp isakmp
ip forward-protocol udp non500-isakmp
!
no ip http server
no ip http secure-server
!
ip nat translation timeout 30
ip nat inside source route-map ISP1 interface GigabitEthernet0/0.116 overload
ip nat inside source route-map ISP2 interface GigabitEthernet0/0.859 overload
ip nat inside source static 192.168.10.7 x.x.x.12 route-map MAIL-Server
ip nat inside source static 192.168.10.7 85.x.x.116 route-map MAIL-Server1
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 0.0.0.0 0.0.0.0 y.y.y.y
ip route 192.168.10.0 255.255.255.0 172.25.10.4
ip route 192.168.16.0 255.255.240.0 172.25.10.4
!
ip sla 1
icmp-echo x1.x.x.9 source-interface GigabitEthernet0/0.116
timeout 1000
threshold 1000
frequency 2
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 8x.x.x.113 source-interface GigabitEthernet0/0.859
timeout 1000
threshold 1000
frequency 2
ip sla schedule 2 life forever start-time now
access-list 101 deny ip host 192.168.10.7 any
access-list 101 permit ip 192.168.10.0 0.0.0.127 any
access-list 101 permit ip 192.168.10.128 0.0.0.63 any
access-list 101 permit ip 192.168.10.192 0.0.0.31 any
access-list 101 permit ip 192.168.10.224 0.0.0.15 any
access-list 101 permit ip 192.168.10.240 0.0.0.7 any
access-list 102 deny ip host 192.168.10.253 any
access-list 102 permit ip 192.168.10.248 0.0.0.7 any
access-list 103 permit ip 192.168.10.0 0.0.0.127 any
access-list 103 permit ip 192.168.10.128 0.0.0.63 any
access-list 103 permit ip 192.168.10.192 0.0.0.31 any
access-list 103 permit ip 192.168.10.224 0.0.0.15 any
access-list 103 permit ip 192.168.10.240 0.0.0.7 any
access-list 104 permit ip 192.168.10.248 0.0.0.7 any
access-list 105 permit ip host 192.168.10.7 any
!
!
!
!
route-map MAIL-Server permit 10
match ip address 105
match interface GigabitEthernet0/0.116
!
route-map MAIL-Server1 permit 10
match ip address 105
match interface GigabitEthernet0/0.859
!
route-map Classify permit 10
match ip address 103
set ip next-hop verify-availability xxxx1 track 2
set ip next-hop verify-availability xxxx 2 track 3
!
route-map Classify permit 20
match ip address 104
set ip next-hop verify-availability xxxx 1 track 3
set ip next-hop verify-availability xxxx 2 track 2
!
route-map Classify permit 30
match ip address 105
set ip next-hop verify-availability xxxx1 track 2
set ip next-hop verify-availability xxxx 2 track 3
!
route-map ISP2 permit 20
match ip address 102 101
match interface GigabitEthernet0/0.859
!
route-map ISP1 permit 10
match ip address 101 102
match interface GigabitEthernet0/0.116
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
event manager applet Track2down
event track 2 state down
action 1 cli command "enable"
action 2 cli command "clear ip nat translation *"
event manager applet track2UP
event track 2 state up
action 1 cli command "enable"
action 2 cli command "clear ip nat translation *"
event manager applet Track3Down
event track 3 state down
action 1 cli command "enable"
action 2 cli command "clear ip nat translation *"
event manager applet Track3Up
event track 3 state up
action 1 cli command "enable"
action 2 cli command "clear ip nat translation *"
!
end
asa configuration:
ASA Version 8.2(1)
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 172.25.10.4 255.255.255.0 standby 172.25.10.5
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.20.0.1 255.255.255.0 standby 10.20.0.2
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa821-k8.bin
ftp mode passive
access-list inbound extended permit tcp any host 192.168.10.7 eq https
access-list inbound extended permit tcp any host 192.168.10.7 eq smtp
access-list inbound extended permit udp any host 192.168.10.7 eq domain
access-list inbound extended permit tcp any host 192.168.10.7 eq 465
access-list inbound extended permit tcp any host 192.168.10.7 eq www
access-list inbound extended permit tcp any host 192.168.10.7 eq domain
access-list inbound extended permit tcp any host 192.168.10.7 eq 9000
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool VPNPOOL 172.30.50.1-172.30.50.254
failover
failover lan unit primary
failover lan interface failover Ethernet0/3
failover link failover Ethernet0/3
failover interface ip failover 172.30.30.1 255.255.255.0 standby 172.30.30.2
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 172.25.10.3 1
route inside 192.168.10.0 255.255.255.0 10.20.0.3 1
route inside 192.168.16.0 255.255.240.0 10.20.0.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
service resetoutside
crypto ipsec transform-set RA-TS esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN_MAP 10 set transform-set RA-TS
crypto map VPN_MAP 30 ipsec-isakmp dynamic DYN_MAP
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600
crypto isakmp nat-traversal 30
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy risk internal
group-policy risk attributes
vpn-idle-timeout 30
username teymur password rPv8yXoba0NS97Kb encrypted
tunnel-group vpnclient type remote-access
tunnel-group vpnclient general-attributes
address-pool VPNPOOL
default-group-policy risk
tunnel-group vpnclient ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
message-length maximum client auto
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:f493b68e4266780b78498eae53c46b68
: end
01-24-2012 12:17 AM
Hi,
could you change these 2 static entries:
ip nat inside source static 192.168.10.7 x.x.x.12 route-map MAIL-Server
ip nat inside source static 192.168.10.7 85.x.x.116 route-map MAIL-Server1
by these 2:
ip nat inside source static tcp 192.168.10.7 443 x.x.x.12 9000 extendable
ip nat inside source static tcp 192.168.10.7 443 85.x.x.116 9000 extendable
Regards.
Alain
01-24-2012 12:49 AM
Hi Azimov,
As Alain correctly mentioned, you'd have to change the Static NAT commands to Port translation changing port 443 to 9000.
With this solution, you would be facing issues with other services hosted on 192.168.10.7. I am assuming that there are other services hosted on this Web Server because you have allowed other ports apart from 443 on your ASA for this ip.
So as per me, your configuration would look something like this:
------------------------------------------------------------------------------------------
route-map permit 10
match interface GigabitEthernet0/0.116
route-map Internet2 permit 10
match interface GigabitEthernet0/0.859
ip nat inside source static tcp 192.168.10.7 443 x.x.x.12 9000 extendable route-map
Internet1
ip nat inside source static tcp 192.168.10.7 443 85.x.x.116 9000 extendable route-map
Internet2
access-list 105 deny tcp host 192.168.10.7 eq 443 any
access-list 105 permit ip host 192.168.10.7 any
route-map MAIL-Server permit 10
match ip address 105
match interface GigabitEthernet0/0.116
route-map MAIL-Server1 permit 10
match ip address 105
match interface GigabitEthernet0/0.859
ip nat inside source static 192.168.10.7 x.x.x.12 route-map MAIL-Server
ip nat inside source static 192.168.10.7 85.x.x.116 route-map MAIL-Server1
------------------------------------------------------------------------------------------
The ACL entry in bold will avoid the NAT translation to happen using one to one mapping as we want the HTTPS return traffic to be NATed using the Port translation entry
Hope it helps. Do let us know if you got this issue resolved.
Neeraj
01-24-2012 02:16 AM
thank you very much to help me.
Yes Neeraj. i have also port 25(smtp) and imaps request from outside and at inside port 25 and dns(53) is going outside.
as i understand my config like that. yes?
ip nat inside source static tcp 192.168.10.7 443 x.x.x.12 9000 extendable route-map MAIL-Server
ip nat inside source static tcp 192.168.10.7 443 85.x.x.116 9000 extendable route-map MAIL-Server1
as you see port 25 and imap destination and source port are the same.
ip nat inside source static tcp 192.168.10.7 25 x.x.x.12 25 extendable route-map MAIL-Server
ip nat inside source static tcp 192.168.10.7 imap x.x.x.12 imap extendable route-map MAIL-Server
access-list 105 deny tcp host 192.168.10.7 eq 443 any
access-list 105 deny tcp host 192.168.10.7 eq 25 any
access-list 105 deny tcp host 192.168.10.7 eq imap any
access-list 105 permit ip host 192.168.10.7 any
route-map MAIL-Server permit 10
match ip address 105
match interface GigabitEthernet0/0.116
route-map MAIL-Server1 permit 10
match ip address 105
match interface GigabitEthernet0/0.859
is this configuartion rigth????
at server port 25 and 53 is going outside. do i need additional configuration for this??
thank you very much.
01-24-2012 04:21 AM
If you are doing Port translation using static command, then your really do not need to have an ACL in the route-map.
The NAT command will only be invoked if the source of the packet is 192.168.10.7. So if you wanna use Port translation for all the ports being hosted, then the following config would be good for you:
route-map Internet1 permit 10
match interface GigabitEthernet0/0.116
route-map Internet2 permit 10
match interface GigabitEthernet0/0.859
ip nat inside source static tcp 192.168.10.7 443 x.x.x.12 9000 extendable route-map
Internet1
ip nat inside source static tcp 192.168.10.7 443 85.x.x.116 9000 extendable route-map
Internet2
ip nat inside source static tcp 192.168.10.7 25 x.x.x.12 25 extendable route-map
Internet1
ip nat inside source static tcp 192.168.10.7 25 85.x.x.116 25 extendable route-map
Internet2
ip nat inside source static tcp 192.168.10.7 imap x.x.x.12 imap extendable route-map
Internet1
ip nat inside source static tcp 192.168.10.7 imap 85.x.x.116 imap extendable route-map
Internet2
** Rest for the traffic going out to Internet will be taken care of by the overload commands
01-24-2012 05:04 AM
how our traffic(192.168.10.7) from inside with port 25 and 53 will exit to internet????
01-24-2012 07:41 AM
well if you are talking about the DNS (53) & SMTP(25) queries to outside Internet server, then as I mentioned in my previous post, anything initiated from inside going towards Internet will be taken care by the NAT overload commands that you already have in your config, NATing the traffic either to GigabitEthernet0/0.116 or GigabitEthernet0/0.859 interface
.
This holds true even for 192.168.10.7 server. Any Internet related activity being initiated from this server will be served using the NAT overload commands (PAT)
Only when the packet coming from this server with the Source port as 443, 25 & imap (which will only happen in case of return traffic/responses from this server) the Port translation static TCP entries will be executed.
01-24-2012 10:00 PM
Hi again.
As you see at my access-list i deny 192.168.10.7 traffic and there for traffic going to outside from this server will not participate in Nat overload.it only participate only static nat.(
ip nat inside source static 192.168.10.7 x.x.x.12 route-map MAIL-Server
ip nat inside source static 192.168.10.7 85.x.x.116 route-map MAIL-Server1)
At this situation how our traffic(192.168.10.7) from inside with port 25 and 53 will exit to internet????
access-list 101 deny ip host 192.168.10.7 any
access-list 101 permit ip 192.168.10.0 0.0.0.127 any
access-list 101 permit ip 192.168.10.128 0.0.0.63 any
access-list 101 permit ip 192.168.10.192 0.0.0.31 any
access-list 101 permit ip 192.168.10.224 0.0.0.15 any
access-list 101 permit ip 192.168.10.240 0.0.0.7 any
access-list 102 deny ip host 192.168.10.253 any
access-list 102 permit ip 192.168.10.248 0.0.0.7 any
access-list 103 permit ip 192.168.10.0 0.0.0.127 any
access-list 103 permit ip 192.168.10.128 0.0.0.63 any
access-list 103 permit ip 192.168.10.192 0.0.0.31 any
access-list 103 permit ip 192.168.10.224 0.0.0.15 any
access-list 103 permit ip 192.168.10.240 0.0.0.7 any
access-list 104 permit ip 192.168.10.248 0.0.0.7 any
access-list 105 permit ip host 192.168.10.7 any
!
route-map ISP2 permit 20
match ip address 102 101
match interface GigabitEthernet0/0.859
!
route-map ISP1 permit 10
match ip address 101 102
match interface GigabitEthernet0/0.116
ip nat inside source route-map ISP1 interface GigabitEthernet0/0.116 overload
ip nat inside source route-map ISP2 interface GigabitEthernet0/0.859 overload
01-25-2012 12:12 AM
oops....my bad...didn't look at the overload ACL earlier...
See the default behaviour of NAT is: it will prefer Static NAT first and then go for Dynamic NAT and then check PAT/Overload statements
So when you already have Port translation entries for 192.168.10.7 server, you don't need to deny it in 101 ACL. We use this deny technique if NAT is not behaving properly and not giving Static NAT preference.
So I would personally suggest that you remove this line from 101 ACL:
no access-list 101 deny ip host 192.168.10.7 any
this should enable outgoing traffic to be NATed using overload statements without adding any more config.
01-25-2012 01:19 AM
ok i understand that i remove deny at access-list 101.then you said it will be normal work.
if you see at my configuration i configure dual isp active active state if i change as you wrote me all them are working normally??
thanks again.
01-25-2012 03:08 AM
Hi
we couldn't use overload, cose we need a static NAT to an IP address which on ISP side is written in MX records.
01-25-2012 05:20 AM
You already have the static NAT statements for x.x.x.12 & 85.x.x.116 for the following ports: 443, 25 & imap which you can use in MX records but if you want to host more services then yes, you would prefer having a one to one Static NAT entry instead of using Overload.
another point I would like to make, although its quite late in our conversation is: You are trying to load balance traffic through the two ISP links. This is generally not recommended as you would not know which interface/link the router will send its response from, so the TCP sessions might not always work as intended. So try and use the two links as backup of each other. Both in Default routes as well as in Policy Based Routing route-map Classify
Check this thread for detailed reference:
03-29-2012 11:55 AM
dear Neeraj Arora i do configuartion as you write me but static nat was not work. only dynamic nat is working.
what is problem? can you help me
03-29-2012 12:00 PM
dynamic mean that the 192.168.10.7 is translate at dynamic nat.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide