cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
669
Views
10
Helpful
8
Replies

Two Security Layers Cisco ASA

kayocisco
Level 1
Level 1

Dears;

i have two Cisco ASA layers, and my exchange server is inside the network of the Layer 2, that means the traffic will pass the two ASA layers to reach the server. the first layer has a public IP addresses and between the two ASAs are Private subnet (172.20.20.0) and my inside network on internal firewall is 10.0.0.0.

my question: how can i publish the email server to the internet and pass the two security layers? Can i do nat from 10.0.0.0 to 172.20.20.0 on the smtp port on the internal firewall and then do nat from 172.20.20.0 to my public IP address (MX record) on the first ASA?

please correct me or provide better solution and answer me with configuration lines.

Regards;

Kayo

1 Accepted Solution

Accepted Solutions

According to the drawing I see two ASAs...
The Perimeter ASA (closest to the Internet)
The Internal ASA (closest to the Exchange)

Questions:
The Internal ASA sees the Exchange as 10.0.0.11?
Is there another device doing NAT between the Exchange and the Internal ASA?

Also, currently you're doing NAT on both ASAs?
I meant you can enable NAT only on the Perimeter ASA...

Federico.

View solution in original post

8 Replies 8

Hi,

Yes, you can do NAT as many times as you want.... however is normally not done.

I'll recommend to do NAT only on the ASA that you need to (where you have the public IP).

The other ASA could just let the traffic pass through without NAT (disabling NAT Control)

Federico.

Dear Federico;

if i disable the nat-control, how can the email IP address 10.0.0.1 to reach the first ASA which is 172.20.20.1. because we already have another natting on the internal firewall, if i disable the nat control, i think the natting of the other servers will stop. what i will do exactly? please explain more in details.

Thanks for your support.

Kayo

Sure but please post a simple drawing with the IPs to see the entire picture.

Thank you,

Federico.

Hi Federico;

please find the drawing in the attached file. please note that i have natting in the internal firewall. as you recommend dont use multiple nat in the devices and disable the nat-control. how can i do this taking into our consideration the existing nat?

Regards;

Kayo

According to the drawing I see two ASAs...
The Perimeter ASA (closest to the Internet)
The Internal ASA (closest to the Exchange)

Questions:
The Internal ASA sees the Exchange as 10.0.0.11?
Is there another device doing NAT between the Exchange and the Internal ASA?

Also, currently you're doing NAT on both ASAs?
I meant you can enable NAT only on the Perimeter ASA...

Federico.

Yes, the internal firewall sees the exchange server 10.0.0.11 directly.

there is no other device doing nat between  the ASA and the exchange.

yes i'm doing nat on both ASA.

the nat is already enabled on both ASAs.

Thanks;

Kayo

Ok,


The internal ASA see the exchange as 10.0.0.11
This means that is not necessary for the internal ASA to do NAT for the exchange server.
If you avoid NAT on the internal ASA, the perimeter ASA will also see the exchange as 10.0.0.11

Then, you can NAT on the perimeter ASA for the exchange.

An example to bypass NAT on the internal ASA for the exchange server could be:

static (in,out) 10.0.0.11 10.0.0.11

Then you can NAT on the perimeter ASA:

static (in,out) x.x.x.x 10.0.0.11 --> x.x.x.x will be the public IP for the exchange

This type of bypassing NAT on the internal ASA is really identity NAT where you create a NAT rule to translate the IP to itself.

There are other options like disabling NAT control and just allow the traffic to pass through.

Federico.

Thanks Federico for your help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: