Policy NAT 8.6(1)2 Windows Server Cluster

Answered Question
Sep 30th, 2013
User Badges:

We have 2 email servers in a cluster on the network.  I have the cluster IP address configured for Object static NAT.  This works great for email coming into our organization.  However, when either of these 2 email servers send mail, they send using their configured IP address which is different from the cluster IP address.  Thus, the NAT'd address is different than for incoming.  It hasn't been an issue to this point, but I would like to be able to send SMTP from either server and have it NAT to the same IP used for the cluster IP.  This way, any reverse DNS lookups on the internet would show a consistent IP to name mapping for our mail servers.  I've attached a diagram.  If there is a way to force the cluster servers to use the cluster address on the Windows server side, that could be an option as well.


Thanks,


Andrew

Correct Answer by Jouni Forss about 3 years 10 months ago

Hi,


Since you have an Auto NAT / Network Object NAT configured for all users Dynamic PAT then my above example as such wont do the trick for you. And specifically for the reason I imagined that the existing Dynamic PAT would override my suggested Dynamic PAT for the Mail server. It would work only if the Dynamic PAT for all users was configured with the same format (NOT Auto NAT / Network Object NAT)


So it seems to me you will have to use the Dynamic Policy PAT that you have mentioned


object service SMTP

service tcp destination eq smtp


object network excastx01

host 10.0.0.2

object network excastx02

host 10.0.0.3


object-group network EXCASTX-CLUSTER

network-object object excastx01

network-object object excastx02


nat (inside,any) source dynamic EXCASTX-CLUSTER HOST-10.10.10.140 service SMTP SMTP


This is essentially a Section 1 Manual NAT / Twice NAT configuration and its a Dynamic Policy PAT. Its at the very top of the NAT rules/configurations to be matched so it should override your normal Dynamic PAT configuration with regards to SMTP traffic.


I am not sure if you will really need to specify the destination interface as "any". Also the Static NAT commands "any,any" seems a bit wierd.


I would have personally configured the situation in the way I suggested but there probably is no real reason to change your current setup as the above configuration will also achieve what you are looking for.


- Jouni

Correct Answer by Jouni Forss about 3 years 10 months ago

Hi,


The actual NAT configuration used depends on how your Dynamic PAT rule for all the users of the network is configured at the moment. Mainly is it Auto NAT or Manual NAT.


Though naturally I can give you an example that includes both Dynamic PAT for all users and Dynamic PAT for the Mail servers and the Static NAT for incoming mail.



MAIL SERVER STATIC NAT


object network MAIL-SERVER

host 10.0.0.1

nat (inside,outside) static 10.10.10.140


The above configuration is the basic Static NAT configuration for a host using Auto NAT / Network Object NAT. It could be done with Manual NAT / Twice NAT also but I prefer Auto NAT / Network Object NAT



MAIL SERVER DYNAMIC PAT


object-group network MAIL-PAT-SOURCE

network-object host 10.0.0.1

network-object host 10.0.0.2

network-object host 10.0.0.3


object network MAIL-SERVER-PUBLIC

host 10.10.10.140


nat (inside,outside) after-auto source dynamic MAIL-PAT-SOURCE MAIL-SERVER-PUBLIC


The above is a normal Dynamic PAT configuration (no Policy elements involved).


The key thing to notice here is that we are entering this to the ASA before the next Dynamic PAT that catches all the rest of the source IP address. One thing to notice also is that its a Section 3 NAT rule (the lowest priority) so that it wont override any other NAT rules like the above Static NAT.


I you had your existing Dynamic PAT for all users already with a similiar configuration than last configuration example then you would have to add a line number to the NAT configuration like this


nat (inside,outside) after-auto 1 source dynamic MAIL-PAT-SOURCE MAIL-SERVER-PUBLIC




DEFAULT DYNAMIC PAT FOR USERS


nat (inside,outside) after-auto source dynamic any interface


The above is just an Dynamic PAT configuration that catches all source addresses from behind the "inside" interface and does Dynamic PAT for them when connecting to networks behind "outside". As this is inserted to the configuration after the above command it will be at a lower priority and wont apply for the 3 source hosts we specified above.


I wonder if I made this out to be more complicated than it needs to be


I guess the easiest way to determine the configuration you will need/want would be to see the current NAT configuration on the ASA


Hope this helps


Please do remember to mark a reply as the correct answer if it answered your question.


Feel free to ask more if needed


- Jouni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jouni Forss Mon, 09/30/2013 - 10:15
User Badges:
  • Super Bronze, 10000 points or more

Hi,


The actual NAT configuration used depends on how your Dynamic PAT rule for all the users of the network is configured at the moment. Mainly is it Auto NAT or Manual NAT.


Though naturally I can give you an example that includes both Dynamic PAT for all users and Dynamic PAT for the Mail servers and the Static NAT for incoming mail.



MAIL SERVER STATIC NAT


object network MAIL-SERVER

host 10.0.0.1

nat (inside,outside) static 10.10.10.140


The above configuration is the basic Static NAT configuration for a host using Auto NAT / Network Object NAT. It could be done with Manual NAT / Twice NAT also but I prefer Auto NAT / Network Object NAT



MAIL SERVER DYNAMIC PAT


object-group network MAIL-PAT-SOURCE

network-object host 10.0.0.1

network-object host 10.0.0.2

network-object host 10.0.0.3


object network MAIL-SERVER-PUBLIC

host 10.10.10.140


nat (inside,outside) after-auto source dynamic MAIL-PAT-SOURCE MAIL-SERVER-PUBLIC


The above is a normal Dynamic PAT configuration (no Policy elements involved).


The key thing to notice here is that we are entering this to the ASA before the next Dynamic PAT that catches all the rest of the source IP address. One thing to notice also is that its a Section 3 NAT rule (the lowest priority) so that it wont override any other NAT rules like the above Static NAT.


I you had your existing Dynamic PAT for all users already with a similiar configuration than last configuration example then you would have to add a line number to the NAT configuration like this


nat (inside,outside) after-auto 1 source dynamic MAIL-PAT-SOURCE MAIL-SERVER-PUBLIC




DEFAULT DYNAMIC PAT FOR USERS


nat (inside,outside) after-auto source dynamic any interface


The above is just an Dynamic PAT configuration that catches all source addresses from behind the "inside" interface and does Dynamic PAT for them when connecting to networks behind "outside". As this is inserted to the configuration after the above command it will be at a lower priority and wont apply for the 3 source hosts we specified above.


I wonder if I made this out to be more complicated than it needs to be


I guess the easiest way to determine the configuration you will need/want would be to see the current NAT configuration on the ASA


Hope this helps


Please do remember to mark a reply as the correct answer if it answered your question.


Feel free to ask more if needed


- Jouni

andrewdours Tue, 10/01/2013 - 08:12
User Badges:

Thanks Jouni.  I took your post and did a little more research on Cisco.  To give you more information, I have all of our user Internet traffic Object NAT'd to a completely different public IP address so that is not an issue.  Here is what I have confgured for our mail servers:


object service SMTP

service tcp destination eq smtp


object network excastx01

host 10.0.0.2

object network excastx02

host 10.0.0.3


object-group network EXCASTX-CLUSTER

network-object object excastx01

network-object object excastx02


nat (inside,any) source dynamic EXCASTX-CLUSTER HOST-10.10.10.140 service SMTP SMTP


object network excas-virtual-IP-10.0.0.1

nat (any,any) static HOST-10.10.10.140


Is this what I need?  Just to recap... I have a static NAT configured for the "virtual cluster IP" so that we can receive email from the Internet.  This static NAT will NAT anything inbound or outbound as 10.0.0.1 to 10.10.10.140.  I have a policy NAT for the cluster servers native IP addresses so that sending email outbound (SMTP) will be NAT'd to 10.10.10.140.  All other outbound network traffic from the cluster servers native IP addresses will be NAT'd to another Object NAT for the 10.0.0.0 subnet.  I have not included details on that NAT configuration as it doesn't really apply.


Thanks,


Andrew

Correct Answer
Jouni Forss Tue, 10/01/2013 - 08:49
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Since you have an Auto NAT / Network Object NAT configured for all users Dynamic PAT then my above example as such wont do the trick for you. And specifically for the reason I imagined that the existing Dynamic PAT would override my suggested Dynamic PAT for the Mail server. It would work only if the Dynamic PAT for all users was configured with the same format (NOT Auto NAT / Network Object NAT)


So it seems to me you will have to use the Dynamic Policy PAT that you have mentioned


object service SMTP

service tcp destination eq smtp


object network excastx01

host 10.0.0.2

object network excastx02

host 10.0.0.3


object-group network EXCASTX-CLUSTER

network-object object excastx01

network-object object excastx02


nat (inside,any) source dynamic EXCASTX-CLUSTER HOST-10.10.10.140 service SMTP SMTP


This is essentially a Section 1 Manual NAT / Twice NAT configuration and its a Dynamic Policy PAT. Its at the very top of the NAT rules/configurations to be matched so it should override your normal Dynamic PAT configuration with regards to SMTP traffic.


I am not sure if you will really need to specify the destination interface as "any". Also the Static NAT commands "any,any" seems a bit wierd.


I would have personally configured the situation in the way I suggested but there probably is no real reason to change your current setup as the above configuration will also achieve what you are looking for.


- Jouni

andrewdours Tue, 10/01/2013 - 10:16
User Badges:

Jouni,


Ah.  Not sure why I didn't see it at first.  I get it now...


1.  Static NAT the cluster virtual IP to the public IP.

2.  Then just PAT the cluster servers to the same public IP.

3.  Don't worry about any policy NAT.  The only reason now to do a policy NAT would be if I only wanted SMTP traffic to go outbound to the same public IP from the cluster servers.


It's very simple.  I just didn't understand what you were trying to portray in your initial post.


Auto-after has to do with the processing of the NAT list.  auto-after places the PAT rule after the Static NAT.  I think this is where I was really getting hung up. 


Your original posting had all the information that I needed, I just couldn't put it together in my head. 


Thanks for your help on this!


Andrew

Actions

This Discussion

Related Content