Manual NAT to override Auto NAT

Answered Question
Oct 2nd, 2013
User Badges:

Hi, i've an ASA with this relevant config:


ASA Version 9.1(1)


interface Ethernet0/0

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.248

!

object network obj-192.168.2.20

host 192.168.2.20

object network obj-1.1.1.2

host 1.1.1.2


access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq smtp

access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq pop3

access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq imap4

access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq https



object network obj-192.168.2.20

nat (inside,outside) static obj-1.1.1.2



Now i have to allow access to a web server from a specific Internet Address  2.2.2.2.

Both web server and all other inbound access are made via a different IP Address 1.1.1.2

scenario1.jpg

I'm having some problems configuring this second item, and I need help.

Which is the best way  to overcame this problem.

TIA

FR

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.6 (5 ratings)
Loading.
Saqib Raza Wed, 10/02/2013 - 10:25
User Badges:

So you want to allow host 2.2.2.2 to access your webserver 1.1.1.2 ?  if so, you already have that access in place according to this ace


access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq https


if you need to allow 2.2.2.2 to access at port 80 then just add an other ace


e.g


access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq http

Julio Carvajal Wed, 10/02/2013 - 10:41
User Badges:
  • Purple, 4500 points or more

Hello Fran,


Not sure what you mean:


I mean you already have the policies in place for this:

object network obj-192.168.2.20

nat (inside,outside) static obj-1.1.1.2


access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq smtp

access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq pop3

access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq imap4

access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq https




Now i have to allow access to a web server from a specific Internet Address  2.2.2.2.

Both web server and all other inbound access are made via a different IP Address 1.1.1.2


So now a user on the outside 2.2.2.2 will be accessing your webserver,


Is your server 192.168.2.20 and also what do you mean by


Both web server and all other inbound access are made via a different IP Address 1.1.1.2





For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at [email protected]

Cheers,

Julio Carvajal Segura

francisco.j.romao Wed, 10/02/2013 - 15:33
User Badges:

Hello Saqib and Julio

many thnaks for your replies.

unfortunately could not be as clear as I would have been:

need to allow access to the web server with private ip 192.168.2.30 via the public IP: 1.1.1.2

internal web server is different from mail server (different machines as you can see int the picture)


I think twice nat solves my problem but I can not form the rule.

On the other hand need to keep the 1:1 NAT 192.168.2.20/1.1.1.2 or my emails become blacklisted.


once more

TIA

FR

Julio Carvajal Wed, 10/02/2013 - 16:03
User Badges:
  • Purple, 4500 points or more

Hello Francisco,


That's the thing. You are already using a map to map where you basically map all available ports on the 1.1.1.2 to the SMTP server.


You will need to have a different IP address in order to map port 80 to the Internal Server or instead of using a one to one tranlation for the SMTP server map the right ports and leave 80 available for the SMTP server


For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at [email protected]

Cheers,

Julio Carvajal Segura

francisco.j.romao Wed, 10/02/2013 - 16:16
User Badges:

Hello Julio,


Here is where I need some help:

when I tried to map the "right ports and leave 80 available"... I got stuck on blacklists because the emails have gone out with the outside interface 1.1.1.1 not with 1.1.1.2

I couldnt solve this...


(I've already bookmarked your website)


Once more

Thanks for your help

FR

Julio Carvajal Wed, 10/02/2013 - 16:41
User Badges:
  • Purple, 4500 points or more

(I've already bookmarked your website)

That's awesome hehe


Yeah, I have seen this in the past.


You could do that NAT (Leaving port 80 off) and also a policy nat basically saying that when that servers goes to any outside SMTP server gets Translated to 1.1.1.2.


Did you try that Policy NAT before?



For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at [email protected]

Cheers,

Julio Carvajal Segura

francisco.j.romao Wed, 10/02/2013 - 16:47
User Badges:

Hello again Julio

Thank you very much for your support.


No I havent tried Policy NAT.

Could you please give me a clue??


Kind Regards

FR

Julio Carvajal Wed, 10/02/2013 - 17:09
User Badges:
  • Purple, 4500 points or more

This would be based on the requirement


Let's say your SMTP server will need to communicate to the host 8.8.8.8


So you can do the port-forwarding for the ports as you did before (when it was being blacklisted) so you can reserver port 80 TCP for the HTTP server and then


object network 8.8.8.8

host 8.8.8.8

exit


objetc service Dsmtp

service tcp destination eq 25

exit


Nat (inside,outside) source static obj-192.168.2.20  1.1.1.2 destination static 8.8.8.8 8.8.8.8  service Dsmtp Dsmtp



For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at [email protected]

Cheers,

Julio Carvajal Segura

francisco.j.romao Wed, 10/02/2013 - 17:27
User Badges:

Julio

once more "muchas gracias"


since my smtp server has to be available "to the world" I can't do like you suggest.


May I use any any for destination? it would be based on service only.

something like:

Nat (inside,outside) source static obj-192.168.2.20  1.1.1.2 destination static any any  service Dsmtp Dsmtp


Or

since I know that my web server is only accessed by 2.2.2.2


Nat (inside,outside) source static obj-192.168.2.30  1.1.1.2 destination static 2.2.2.2 2.2.2.2


this would be at section 1 of NAT (before auto NAT or NAT 1:1 refered before)

I don't know if this statements conflits with each other


TIA

FR

francisco.j.romao Mon, 10/21/2013 - 13:21
User Badges:

thank you for your precious help.

i've forgotten mark your answer as correct but  thanks to your support I solved my case.


Big hug

FRancisco

Actions

This Discussion