Solved: Static NAT resolution problem

shahid_duet · ‎08-16-2011

Dear boss

Please see my attachment.

I want to do static NAT 203.88.148.85 ->172.29.1.5 and 192.168.0.241->172.29.1.5

That means all outsider will get mail server by 203.88.148.85 and local user will get mail server by 192.168.0.241.

For that i did :

router :

interface GigabitEthernet0/0

ip address 203.88.148.84 255.255.255.248

ip nat outside

interface GigabitEthernet0/1

ip address 10.0.0.1 255.255.255.252

ip nat inside

ip route 0.0.0.0 0.0.0.0 203.88.148.81

ip route 172.29.1.0 255.255.255.0 10.0.0.2

ip route 192.168.0.0 255.255.255.0 10.0.0.2

ip nat pool IP_POOL 203.88.148.84 203.88.148.86 netmask 255.255.255.252

ip nat inside source list 1 pool IP_POOL overload

ip nat inside source static 172.29.1.5 203.88.148.85

!

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 1 permit 172.29.1.0 0.0.0.255

ASA:

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 192.168.0.240 255.255.255.0

!

interface GigabitEthernet0/1

nameif outside

security-level 0

ip address 10.0.0.2 255.255.255.252

!

interface GigabitEthernet0/2

nameif DMZ

security-level 50

ip address 172.29.1.1 255.255.255.0

access-list OUTSIDE-IN extended permit ip any 172.29.1.0 255.255.255.0

static (DMZ,outside) 172.29.1.5 172.29.1.5 netmask 255.255.255.255

access-group OUTSIDE-IN in interface outside

route outside 0.0.0.0 0.0.0.0 10.0.0.1 1

But i cant get 203.88.148.85 from internet and 203.88.148.81 from 172.29.1.5. same in case of local net.

what can i do now ? where my missing ?

can u help me plz .

thanks

shahid

cadet alain · ‎08-16-2011

Hi,

on ASA:

disable nat-control with no nat-control

remove the static nat for dmz,outside on asa and change ACL to permit ip any 172.16.29.5

do a static'(dmz,inside) for tcp port 25 and put an ACL o enable return traffic from dmz to inside

On router change nat to this:

ip nat pool IP_POOL 203.88.148.84 203.88.148.84 netmask 255.255.255.252

ip nat inside source list 1 pool IP_POOL overload

ip nat inside source static tcp 172.29.1.5 25 203.88.148.85 25

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎08-17-2011

Hi,

Yes I understand but it's been a while since I've configured ASA so I had to think it over.

Per default ICMP is not inspected so you need to modify your ACL to permit return echo-replies or enable icmp inspection like this:

policy-map global_policy

class inspection_default

inspect icmp

NB: return traffic from dmz to inside is permitted by default for tcp and udp so I think this should work without the ACL and just inspecting icmp so your pings to the server will work and smtp also.

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎08-16-2011

Hi,

on ASA:

disable nat-control with no nat-control

remove the static nat for dmz,outside on asa and change ACL to permit ip any 172.16.29.5

do a static'(dmz,inside) for tcp port 25 and put an ACL o enable return traffic from dmz to inside

On router change nat to this:

ip nat pool IP_POOL 203.88.148.84 203.88.148.84 netmask 255.255.255.252

ip nat inside source list 1 pool IP_POOL overload

ip nat inside source static tcp 172.29.1.5 25 203.88.148.85 25

Regards.

Alain.

Don't forget to rate helpful posts.

shahid_duet · ‎08-17-2011

Hi Alain

U r correct.

clould u pls diffentiate between

ip nat inside source static tcp and ip nat inside source static.

Now tell me how i NAT my local IP 192.168.0.241 to 172.29.1.5 on ASA ?

how PC 192.168.0.10 will get 172.29.1.5 by nating 192.168.0.241 ?

Plz help me

Thanks

shahid

cadet alain · ‎08-17-2011

Hi,

ip nat inside source static tcp and ip nat inside source static.:

the first one is called static PAT and second is static NAT which means in second case you are doing a 1-1 nat of all your ports where in the other case is only for a certain tcp port.

to map the mail server for inside access:

static (dmz,inside) tcp 192.168.0.241 25 172.29.1.5 25 netmask 255.255.255.255

Don't forget to add an ACL permitting traffic back from dmz:

access-list MAILSERVER_DMZTOINSIDE 10 extended permit tcp 192.168.0.241 255.255.255.0 25 192.168.0.0 255.255.255.0 any

access-group MAILSERVER_DMZTOINSIDE out interface inside

Regards.

Alain.

Don't forget to rate helpful posts.

shahid_duet · ‎08-17-2011

Mr. Alain

Thanks again

pls see my new diagram.

Now i m getting 192.168.0.241 as NAT from My local net ie 192.168.0.0/24.

but i need access from my branch ie 192.168.11.0/24, 12.0/24,13.0/24, etc. as i did

access-list MAILSERVER_DMZTOINSIDE extended permit tcp host 192.168.0.241 eq smtp 192.168.0.0 255.255.0.0

route local 192.168.0.0 255.255.0.0 192.168.0.254 on ASA.

I get form asa to 192.168.11.5 but dont get 192.168.0.241 from 192.168.11.5.

how i get 192.168.0.241 from 192.168.11.5 ? any route requited in core router ?

NB: there are a route for 192.168.0.0/24 on branch router.

shahid

cadet alain · ‎08-17-2011

Hi,

So the part you asked for is working now?

but you want the branch sites to communicate with this server, is that so? your remote sites are all using VPN? in that case which type, IPsec site-to-site VPN?

Regards.

Alain.

Don't forget to rate helpful posts.

shahid_duet · ‎08-17-2011

alain

Yes its working with Local Net but not branch.

I m using VPN and 192.168.0.0/24 is allowed through site to site IPsec crypto map VPN, as i m getting 192.168.0.243 from branch.

I want to communicate mail server from branch.

How ?

shahid

shahid_duet · ‎08-17-2011

Hi alain

do u understand my diagram ?

If not clear let meknow .

Thanks

cadet alain · ‎08-17-2011

Hi,

Yes I understand but it's been a while since I've configured ASA so I had to think it over.

Per default ICMP is not inspected so you need to modify your ACL to permit return echo-replies or enable icmp inspection like this:

policy-map global_policy

class inspection_default

inspect icmp

NB: return traffic from dmz to inside is permitted by default for tcp and udp so I think this should work without the ACL and just inspecting icmp so your pings to the server will work and smtp also.

Regards.

Alain.

Don't forget to rate helpful posts.

shahid_duet · ‎08-18-2011

Thanks boss

u r great

shahid_duet · ‎03-22-2012

Dear Alian

I need ur help again

now i m using asa5510.

I get local to sever but not get server to local.

waht can i do now ?

shahid

rais · ‎08-16-2011

From my part of the world I get:

>ping 203.88.148.85

Pinging 203.88.148.85 with 32 bytes of data:

Reply from 111.93.72.94: TTL expired in transit.

Ping statistics for 203.88.148.85:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Same results using: http://www.as577.net/en/page/lg.html
There seems to be a routing loop.

Thanks.

cadet alain · ‎08-16-2011

yep,

tracerouting to your next-hop router from ISP is revealing a loop between 2 SP.

Regards.

Alain.

Don't forget to rate helpful posts.