Port blocked - solution by NAT?

filip00011 · ‎05-09-2018

At location 1. Outgoing TCP port 25 is blocked from my ISP. Can I use 2 ASAs to tunnel that traffic to second ASA and then to the internet? Is there any possibility that this is gonna work?. See the picture please. I need to send an email from switch running EEM.

MY IDEA:

ASA 1:

object network SWITCH-POE
host 192.168.200.251

object network SMTP-SEZNAM
host 77.75.76.48

object network porici-public
host 88.100.63.27
object service smtp-port
service tcp destination eq smtp
object service change-port
service tcp destination eq 26

nat (inside,outside) source static SWITCH-POE SWITCH-POE destination static SMTP-SEZNAM porici-public service smtp-port change-port

ASA 2:

object network public-chicago
host 68.72.16.65

object network SMTP-SEZNAM
host 77.75.76.48

object network porici-public
host 88.100.63.27

object service smtp-port
service tcp destination eq smtp
object service change-port
service tcp destination eq 26

nat (outside, outside) source static public-chicago public-chicago destination static porici-public SMTP-SEZNAM service change-port smtp-port

Karsten Iwen · ‎05-09-2018

This will add unnecessary complexity to your network. There are multiple solutions that I would prefer over the NAT-solution:

If the network at ASA2 (the HQ?) has a mailserver, this one can be used as a relay-server for the switch.
Use PBR at ASA1 to send the SMTP-Traffic through the tunnel to ASA2 where it leaves to the internet.
change ISP to one that is more suitable for a business-solution. For a small branch, probably unlikely.