04-02-2012 11:42 AM - edited 03-11-2019 03:49 PM
Hello,
I have 2 servers with static PAT configuration in pre 8.3 ASA:
Server1 - 10.6.1.10 - PAT to 66.66.66.66 for SMTP
Server2 - 10.6.1.20 - PAT to 66.66.66.66 for IMAP4 and http/https
Pub address - 66.66.66.66
old config:
1. static (inside,outside) tcp 66.66.66.66 smtp 10.6.1.10 smtp netmask 255.255.255.255
2. static (inside,outside) tcp 66.66.66.66 www 10.6.1.20 www netmask 255.255.255.255
3. static (inside,outside) tcp 66.66.66.66 https 10.6.1.20 https netmask 255.255.255.255
4. static (inside,outside) tcp 66.66.66.66 imap4 10.6.1.20 imap4 netmask 255.255.255.255
What is the proper way of migrating above config?
object network Server1 \\\\\ this takes care of PAT statement #1.
host 10.6.1.10
nat (inside,outside) static PAT service tcp smtp smtp
object network Server2
host 10.6.1.20
object network PAT
host 66.66.66.66
How should I migrate statements 2,3 and 4?
Thank you.
forman
Solved! Go to Solution.
04-03-2012 10:10 AM
Hi,
Glad to hear it worked out.
Please rate if you found the information helpfull
- Jouni
04-02-2012 12:05 PM
I will try to answer myself
I need to create Service objects first:
object service HTTP
service tcp destination eq 80
object service HTTPS
service tcp destination eq 443
object service IMAP4
service tcp destination eq 143
then create statements:
nat (inside,outside) source static Server2 PAT service HTTP HTTP
nat (inside,outside) source static Server2 PAT service HTTPS HTTPS
nat (inside,outside) source static Server2 PAT service IMAP4 IMAP4
Correct?
04-02-2012 12:16 PM
object service HTTP
service tcp destination eq 80
object service HTTPS
service tcp destination eq 443
object service SMTP
service tcp destination eq 25
object service IMAP4
service tcp destination eq 143
object network Server1
host 10.6.1.10
object network Server2
host 10.6.1.20
object network PAT
host 66.66.66.66
nat (inside,outside) source static Server1 PAT service SMTP SMTP
nat (inside,outside) source static Server2 PAT service HTTP HTTP
nat (inside,outside) source static Server2 PAT service HTTPS HTTPS
nat (inside,outside) source static Server2 PAT service IMAP4 IMAP4
open all the private IP's in the ACL's accordingly on outside interface.
04-02-2012 12:17 PM
Oh
you answered yourself correctly while I was busy creating config for you
04-02-2012 12:29 PM
Thank you for verification .
04-02-2012 12:41 PM
Hi,
Wouldnt the above also be achieved by the following similiar configuration. Think this is the way I have personally done them (Havent had to do it that many times to be honest)
object network PAT
host 66.66.66.66
object network Server1-SMTP
host 10.6.1.10
nat (inside,outside) static PAT service tcp smtp smtp
object network Server2-WWW
host 10.6.1.20
nat (inside,outside) static PAT service tcp www www
object network Server2-HTTPS
host 10.6.1.20
nat (inside,outside) static PAT service tcp https https
object network Server2-IMAP4
host 10.6.1.20
nat (inside,outside) static PAT service tcp imap4 imap4
- Jouni
04-02-2012 04:06 PM
JouniForss, I tried it on mine and go the same results.....
object network portforwarding1smpt
host 10.1.6.1
object network portforwarding1smpt
nat (main-lan,outside) static PublicIP service tcp smtp smtp
Note I avoided the use of the word PAT to delineate (title) the external public IP object people would be using. I find it confusing to read about dynamic and static and Pat rules without having the word PAT in there. :-)
object network PublicIP
host 66.66.66.66
What I am curious about is in all my rules I use the outside interface (as I only have one public WANI). It appears for these rules one simply identifies the public IP as a host for these nat rules and can use that..............
04-03-2012 09:20 AM
Help please: for some reason, the traffic is being denied on the ASA, even thought I opened the ACL on outside int. Not sure why...so I can't access HTTP, HTTPS, IMAP4 to the NATted servers.
04-03-2012 10:02 AM
Okay I downloaded my access rules list for an example.
I created one, the last one, *** to mimic your concept of anybody as all mine narrow down external users.........
You need a particular service object identified, and the pc hosting the service identified (solely as an object no tied-nat rule for this definition)
object service imap24
service tcp destination eq 2424
object network VS-pcIP
host 192.168.24.34
access-list outside_access_in extended permit object RDP object-group TFS-usergroup object VS-pcIP
access-list outside_access_in extended permit object TFS object-group TFS-usergroup object VS-pcIP
access-list outside_access_in extended permit object TFS object Corporate-user object VS-pcIP
***access-list outside_access_in extended permit object imap24 any object VS-pcIP
At the end of my object NAT rules are the following two items (ACL to outside general rule and routing rule)
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.xxx.225 1
If you have any other ACL rules not sure what they are doing for you. Hopefully you dont have any deny rules. they are not needed.
04-05-2012 06:18 AM
Hey Alex,
Unfortunately, I'm not going to be able to test this until next config migration. Thank you for explaining the ACL part! Mine was wrong...
I ended up using this config:
object network PAT
host 66.66.66.66
object network Server1-SMTP
host 10.6.1.10
nat (inside,outside) static PAT service tcp smtp smtp
access-list outside line 5 extended permit tcp any object Server1-SMTP eq smtp
Can you guys explain ASA NAT mechanism...regarding that static NAT above:
My system admin states that traffic going out of the server 10.6.1.10 on port 25 in NOT being translated to 66.66.66.66:25 on the outside inteface, but translates to 66.66.66.70:25, which is my global PAT IP address for Internet traffic. Is that normal? I don't use much of ASDM, but I found and used packet tracer, which shows that my config should translate to 66.66.66.66:25, not 66.66.66.70:25. Is there something wrong with my config?
04-05-2012 06:27 AM
Hi,
The Port Forward configuration that you did by using one public IP address only applies when you are connecting from outside to the public IP 66.66.66.66 but when the local host is initiating the connection to outside network, other NAT rules will be applied.
Think there just was a similiar post here on the forums where they had configured this kind of port forwarding for SMTP and also wanted the outgoing connections use the same public IP.
I don't remember the post now. Could try this out on my own ASA and let you know soon if I get the mentioned situation working as described above. (Good thing I have a /29 public network at my disposa for these tests)
- Jouni
04-05-2012 06:47 AM
Hi,
I did the following test configuration on my ASA
Please notice that the output also contains some other configurations. I added these to illustrate a situation where you have rules that might in certain situation overlap the configuration you are doing. I will explain more after the configurations.
x.x.x.x = additional public IP (so NOT the outside interface IP)
object network LAN-NETWORK
subnet 10.0.0.0 255.255.255.0
object network SMTP-PORTFORWARD
host 10.0.0.50
object network SMTP-SERVER-OUTGOING-PAT-SOURCE
host 10.0.0.50
object network SMTP-PAT
host x.x.x.x
object network SMTP-PORTFORWARD
nat (LAN,WAN) static x.x.x.x service tcp smtp smtp
nat (LAN,WAN) after-auto source dynamic SMTP-SERVER-OUTGOING-PAT-SOURCE SMTP-PAT
nat (LAN,WAN) after-auto source dynamic LAN-NETWORK interface
As you can see the above configurations contain the following NATs.
If you for example had the last default PAT configuration "nat (LAN,WAN) after-auto source dynamic LAN-NETWORK interface" and added the configuration "nat (LAN,WAN) after-auto source dynamic SMTP-SERVER-OUTGOING-PAT-SOURCE SMTP-PAT" it would be inserted AFTER the default rule already created. This would mean that the SMTP host would still be showing with the WAN interface public IP and not the public IP x.x.x.x used in both port forward configurations and the new PAT configuration.
What you will have to do is add the NAT command with an additional "line number" which isnt visible in the CLI configuration.
The command would be
But you will still have to take into account that the top most NAT rules (when issuing "show run nat" or looking from ASDM) might still override this configuration.
With the above configuration the "packet-tracer" test went through the way you would want them. Meaning SMTP host would be connected to with SMTP with the IP address x.x.x.x and it would also be visible to WAN with the public IP x.x.x.x when its initiating the connection.
Hope this helps Please rate if helpfull
Please ask if you need clarification.
- Jouni
05-22-2013 09:38 AM
Jouni,
I'm working on some static PAT config and found your post, here which is very helpful. I do have a question about something you wrote: I noticed that you said the following about the outside interface IP in your PAT configuration running on your 8.4 test ASA:
I did the following test configuration on my ASA
Please notice that the output also contains some other configurations. I added these to illustrate a situation where you have rules that might in certain situation overlap the configuration you are doing. I will explain more after the configurations.
x.x.x.x = additional public IP (so NOT the outside interface IP)
object network LAN-NETWORK
subnet 10.0.0.0 255.255.255.0
object network SMTP-PORTFORWARD
host 10.0.0.50
object network SMTP-SERVER-OUTGOING-PAT-SOURCE
host 10.0.0.50
object network SMTP-PAT
host x.x.x.x
object network SMTP-PORTFORWARD
nat (LAN,WAN) static x.x.x.x service tcp smtp smtp
nat (LAN,WAN) after-auto source dynamic SMTP-SERVER-OUTGOING-PAT-SOURCE SMTP-PAT
nat (LAN,WAN) after-auto source dynamic LAN-NETWORK interface
My question for you is that when you say that x.x.x.x is NOT the outside interface IP, is this because using the outside interface IP to do static PATs is unsupported? I am trying to do static PAT with the outside interface IP on ASA 9.0 and am having some difficulty with it. After reading your post I am wondering if this may be one of my problems.
Justin
05-22-2013 09:45 AM
Hi Justin,
There is nothing preventing you from using the ASA "interface" IP address for Static PAT. Its quite common actually.
If it isnt working for you some reason I would suspect there might be some NAT rule that is causing the Static PAT rule to be overriden.
Easiest way to determine this would be to see the NAT configuration and/or take some "packet-tracer" command output on the ASA to determine which NAT rules is matched against certain connections.
- Jouni
05-24-2013 11:04 AM
Jouni,
Thanks for your help. I've got it working now with your examples for object NAT and I'm successfully using the outside interface IP. As a side note, it turns out the issue I was having was unrelated to the NAT setup. Rebuilding the ACLs ended up fixing the problem. I still saved a lot of configuration time with your original correct answer to this thread, so thank you.
Justin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide