Unable to correctly separate traffic in ASA

Unanswered Question
May 11th, 2009

Dear friends,

I'm trying to make a simple thing: to separate a traffic using "static" statements. However, the command is not working correctly. Please, check the attached file.

Let's see the details. I'm using ASA 5510 version 8.0(4). The problem is that, when I use mentioned "static" commands, the mail server stil tries to contact external SMTP servers using the "global" address configured to a regular NAT instead of using the static configured address. I have to force the static mapping of the right IP address to the right machine.

What am I doing wrong?

I appreciate the help.

Mauricio Harley

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Mon, 05/11/2009 - 10:49

Mauricio,

Maybe I'm misunderstanding you, but are you trying to have your mail server go out as a different address than what your global interface ip is? If so, you can do:

global (outside) 2

nat (dmz) 2

It will go out as whatever address you want it to.

HTH,

John

mauricioharley Mon, 05/11/2009 - 10:59

Hi, John,

This is it, but I have two machines (1 web/dns server and 1 smtp server) sharing the same external IP address. I don't have a second available address. So, I guess I still have to use a "static" statement. Why my mapping doesn't work?

Cheers

John Blakley Mon, 05/11/2009 - 11:25

Mauricio,

I'm not sure what you're wanting to do with the static commands. Statics are used to translate from one address to another.

If your public address is 5.5.5.5, and your mail server is 192.168.1.50, your static would be:

static (inside,outside) tcp 5.5.5.5 25 192.168.1.50 25 netmask 255.255.255.255

If you're sharing the public address, you can do:

static (inside,outside) tcp 5.5.5.5 80 192.168.1.100 80 netmask 255.255.255.255

The above tells the ASA to forward traffic that comes in on your public ip on port 25 to your mail server, and anything that comes in on port 80 will forward to your web server.

You'll also need an access-list on your outside interface that allows the traffic in:

access-list outside permit tcp any host 5.5.5.5 eq 25

access-list outside permit tcp any host 5.5.5.5 eq 80

access-list outside in interface outside

When you create your statics, try running clear xlate to make them effective immediately.

Oh, and any outbound traffic from either your web server or mail server will go out as your global ip address. NAT and global statements are used for outbound traffic, and statics are used for inbound generally.

HTH,

John

mauricioharley Mon, 05/11/2009 - 11:50

Hi, John,

This is all already done. Your last paragraph is what I'm facing as a problem. Let's see what you wrote:

"Oh, and any outbound traffic from either your web server or mail server will go out as your global ip address. NAT and global statements are used for outbound traffic, and statics are used for inbound generally."

Actually, if I'm not wrong, once I establish a static mapping (full or related to a single port), that machine will use that mapping to ANY connection being in->out or out->in. My problem is exactly this: my mail server is not using the static mapping. It's using the nat/global mapping.

Regards!

John Blakley Mon, 05/11/2009 - 11:55

Mauricio,

You said yourself in an earlier post that you only had one address. That address is the one that you're receiving your mail on, and the one that your mail will go out. If your static is referencing your public address, then the static is working. Otherwise, I don't know what your real issue is.

my mail server is not using the static mapping. It's using the nat/global mapping.

How do you know it's using the global mapping and not the static if you only have the one address?

John

mauricioharley Mon, 05/11/2009 - 12:16

Hello, John,

I apologize for any confusion. I have ONE address to share between my two servers. My company global IP address is not being considered for this case. As you can see in my attached file, I'm running a PAT to the other machines and the static mappings to the servers.

John Blakley Mon, 05/11/2009 - 12:26

So let me get this straight:

Your ASA public address IS different than the public address that you have natted in your static config?

If you get on the mail server and go to http://www.whatismyip.com, do you get back the address of the ASA or the static address that you mapped?

Renato Morais Thu, 05/28/2009 - 20:31

Mauricio,

Try this configuration:

static (dmz,outside) tcp outside_ip smtp dmz_ip_1 smtp

static (dmz,outside) udp outside_ip 53 dmz_ip_2 53

static (dmz,outside) tcp outside_ip 80 dmz_ip_2 80

nat (dmz) 1 dmz_ip_1 255.255.255.255

global (dmz) 1 outside_ip

nat (dmz) 2 dmz_net

global (outside) 2 interface

Kind Regards!

Actions

This Discussion