Hi, I am looking for help with my NAT configuration on Cisco ASA 5516-x with Firepower services connected to FMC. Our local subnet LOCAL.NET.0.0/16 already has an Internet connection, with public IP XX.X.228.50. To obtain it I created typical Dynamic NAT: object network lan_local_LOCAL.NET.0.0-16 nat (inside,outside) dynamic interface Also, I created a NAT rule to reach the Exchange server from outside: nat (outside,inside) source static any interface destination static IP_XX.X.228.54 MX2_LOCAL.NET.0.21 service SVC_30064789002 SVC_30064789002 nat (outside,inside) source static any interface destination static IP_XX.X.228.54 MX2_LOCAL.NET.0.21 service SVC_30064789003 SVC_30064789003 nat (outside,inside) source static any interface destination static IP_XX.X.228.54 MX2_LOCAL.NET.0.21 service SVC_30064789004 SVC_30064789004 It works as it should. As you admit we use different IP addresses for Internet access and for Exchange server. Outside IP for Internet Access is: XX.X.228.50 Outside IP for Exchange server: XX.X.228.54 Now we need to create NAT rule, to NAT all outside traffic of Exchange server to XX.X.228.54 instead of XX.X.228.50, and when I create one, for example object network MX2_LOCAL.NET.0.21 nat (inside,outside) dynamic IP_XX.X.228.54 It works, but time to time, some packets NATed to this rule, some packets NATed to main local net NAT rule: object network lan_local_LOCAL.NET.0.0-16 nat (inside,outside) dynamic interface I checked it, by looking to the public IP address in web-browser and pressing F5 button, in 50% cases Public IP is XX.X.228.54 but in other XX.X.228.50. This is the issue, it prevents to work of our mail server correctly. How to handle this issue? How to freeze public IP for the Exchange server?
... View more
Thank you for your fast answers! But How can I be sure in " ISP sends the traffic to your ASA's OUTSIDE interface's IP." I think it impossible if outside interfaces IP is not router's IP which routes traffic to mine subnet (XXX.XX.37.48/29), and in this case, we need to route our subnet by ourselves, using our device. Also, we have a configuration which was shared by our ISP provider: atn3-140:
interface GigabitEthernet0/2/20.XXX
vlan-type dot1q XXX
description
mtu 9500
ip binding vpn-instance internet
ip address XXX.XX.2.229 255.255.255.252
ip address XXX.XX.37.49 255.255.255.248 sub
statistic enable
loop-detect enable
qos-profile uni-102400K inbound
qos-profile uni-102400K outbound
trust upstream not_6_7 Is that enough? Also, I just read the link you provided, and I think I need to ask my ISP provider to do it or suggest any other ways to implement it.
... View more
Hi! We just bought Cisco 5516-x with FTD preinstalled on the device. We already have router/FW from another vendor and want to replace it by NGFW from Cisco. I start configuration of Outside interfaces and noticed that ASA doesn't support multiple IPs from the same subnet on the one physical network interface in subinterfaces. Our environment is subnet provided by our ISP provider: XXX.XX.37.48/29, GW is XXX.XX.37.49 and our IPs are XXX.XX.37.50-54 We want to use at least two IPs from this list to NAT traffic to two different Exchange MX servers, which both placed in our local network. In our DNS mail record, we have two MX records. We don't want to completely change our internal infrastructure, if possible of course. And I ask you to help me by providing a useful link to technology which can help us to deal with it.
... View more