Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2184
Views
0
Helpful
7
Replies

ASA 8.4 Network Object NAT ordering

fredrik.lundqvist
Level 1
Level 1

‎08-20-2012 01:00 AM - edited ‎03-11-2019 04:43 PM

Hi!

There is something wrong with the ordering of our NAT-rules.

We are running ASA Version 8.4(2)8 and the nat config is pasted below.

I want outgoing smtp-traffic to be translated to xxx.yyy.zzz.18, but instead it's translated to xxx.yyy.zzz.20 (the outside-interface address).

The same goes for ftp-traffic, according to packettracer this is also translated to the xxx.yyy.zzz.20.

Ciscos manual states that static nat rules takes precedence over dynamic nat but that doesn't seem to work for us.

Can you guy's see anything wrong with the config below?

nat (Outside,Inside) source static Company-VPN Company-VPN

!

object network Company-LAN

nat (any,Outside) dynamic interface

object network Server21

nat (any,any) static Outsidexxx.yyy.zzz-18 service tcp ftp ftp

object network Server55443

nat (any,any) static Outsidexxx.yyy.zzz-18 service tcp 55443 55443

object network Server443

nat (any,any) static Outsidexxx.yyy.zzz-18 service tcp https https

object network Server993

nat (any,any) static Outsidexxx.yyy.zzz-18 service tcp 993 993

object network Server465

nat (any,any) static Outsidexxx.yyy.zzz-18 service tcp 465 465

object network Server80

nat (any,any) static Outsidexxx.yyy.zzz-18 service tcp www www

object network Company-LAN-Inside

nat (Inside,Inside) dynamic interface

object network Server25

nat (any,any) static Outsidexxx.yyy.zzz-18 service tcp smtp smtp

route Outside 0.0.0.0 0.0.0.0 xxx.yyy.zzz.17 1

Labels:
0 Helpful
7 Replies 7

Jouni Forss
VIP Alumni
VIP Alumni

‎08-20-2012 01:20 AM

Hi,

Think your NAT configuration regarding SMTP only applies to the connections taken from outside with destination port TCP/25 and not to connections taken by the SMTP server with destination port TCP/25

Haven't had to do much of these configurations. I guess with the old OS NAT commands it would be easier (Policy NAT)

I can try to lab this later and provide the correct configuration. Unless someone else can already copy/paste some example for you.

- Jouni

0 Helpful

fredrik.lundqvist
Level 1
Level 1
In response to Jouni Forss

‎08-20-2012 01:59 AM

I thought (any,any) would handle connections from both outside and inside interface.

How would a network object NAT that handles traffic both ways look?

- Fredrik

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎08-20-2012 02:09 AM

Gah, too tired. Will write the reply again

EDIT: removed the actual answer since there was errors there

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎08-20-2012 02:22 AM

Ok,

So lets look at this again.

I guess you have a .20 IP address on the firewall outside interface and the .18 IP address as an additional IP address and you have used port forwarding to forward ports to different LAN IP addresses? In other words the SMTP server doesnt have its own public IP address?

- Jouni

0 Helpful

fredrik.lundqvist
Level 1
Level 1
In response to Jouni Forss

‎08-20-2012 02:45 AM

That's correct, the SMTP-server does not have it's own public IP.

- Fredrik

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to fredrik.lundqvist

‎08-20-2012 03:16 AM

Ok,

Attempt Number 2.

Heres my test configurations.

  • First 2 "object network" configurations define port forwards for connections coming from Internet to the local servers. (HTTPS there just to simulate your other port forwards)
  • The following 2 "object network/service" configurations are configured to be used in the actual NAT configuration that would in your case NAT the outbound TCP/25/SMTP traffic to the desired public IP address
  • The last NAT configuration can be considered a default PAT configuration for all the outbound connections that dont have a specific NAT configuration

object network SMTP-SERVER

host 10.10.10.123

nat (inside,outside) static 1.2.3.4 service tcp smtp smtp

object network HTTPS-SERVER

host 10.10.10.124

nat (inside,outside) static 1.2.3.4 service tcp https https

object network SMTP-SERVER-PUBLIC

host 1.2.3.4

object service SMTP

service tcp destination eq smtp

nat (inside,outside) source static SMTP-SERVER SMTP-SERVER-PUBLIC service SMTP SMTP

nat (inside,outside) after-auto source dynamic any interface

I guess you could try your own version of the above. To be honest the actual configuration that does the NAT for outbound SMTP traffic isnt that clear to me either. Should cheat and check the command reference myself.

I'm not 100% sure if the above NAT configuration might conflict with some future configuration in its current form.

Hope this helps

- Jouni

EDIT: If you havent already used, you can use "packet-tracer" command to check whats happening with NAT before and after the configurations. And ofcourse "show xlate" etc.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎08-20-2012 05:03 AM

Hi,

Were you able to test this?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card