Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA outbound policy NAT not working

Hi Folks,

I'm having trouble with how traffic from my LAN is being nat'd by my ASA.

I've attached a basic network diagram -

inbound smtp traffic to 1.1.1.67 is translated to 10.0.10.2 (email server, on the inside interface)

inbound http and https traffic to 1.1.167 is translated to 10.10.10.2 (web serevr, on the DMZ interface)

These config I've used for this is:

static (inside,outside) tcp 1.1.1.67 smtp 10.0.10.2 smtp netmask 255.255.255.255

static (DMZ,outside) tcp 1.1.1.67 https 10.10.10.2 https netmask 255.255.255.255

static (DMZ,outside) tcp 1.1.1.67 www 10.10.10.2 www netmask 255.255.255.255

This has been tested and is working correctly.

The problem I have is that outbound traffic sourced from the email server (10.0.10.2) is not being nat'd to 1.1.1.67 ... it is being nat'd to 1.1.1.66 (the outside interface of the ASA)

when I do a packet-tracer (smtp traffic from 10.0.10.2 to external email server), I see two different phases for nat :

Phase: 5

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,outside) tcp 1.1.1.67 smtp 10.0.10.2 smtp netmask 255.255.255.255

  match tcp inside host 10.0.0.2 eq 25 inside any

    static translation to 1.1.1.67/25

    translate_hits = 236, untranslate_hits = 13682

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xaccaf6d0, priority=5, domain=host, deny=false

        hits=68278, user_data=0xaccaead0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=10.0.10.2, mask=255.255.255.255, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 7 access-list dyn-nat-25-inside-acl

  match ip inside net10.0.10.0-24_VLAN10 255.255.255.0 oustide any

    dynamic translation to pool 7 (1.1.1.66 [Interface PAT])

    translate_hits = 25389, untranslate_hits = 168

Additional Information:

Dynamic translate 10.0.10.2/2525 to 1.1.1.66/10070 using netmask 255.255.255.255

Forward Flow based lookup yields rule:

in  id=0xacc82fd0, priority=2, domain=nat, deny=false

        hits=25389, user_data=0xacc82f10, cs_id=0x0, flags=0x0, protocol=0

        src ip=net10.0.10.0-24_VLAN10, mask=255.255.255

Phase 5 appears to match the nat statement that I want (ie translates  smtp traffic from 10.0.10.2 to 1.1.1.67), but phase 6 then seems to contradict this, matching instead a general nat rule which translates all outbound traffic to the asa's outside interface.

Can anyone explain why this is happening?

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ASA outbound policy NAT not working

Outbound connections from this smtp server will never be sourced from port 25 but, will be sourced from any high port. What you have is static PAT which is only for incoming connections from the internet.

So, if you want this server to look like 1.1.1.67 even for outbound then you need to add these lines:

nat (inside) 100 10.0.10.2 255.255.255.255

global (outside) 100 1.1.1.67

Use some nat ID that is not used. I just came up with 100.

-KS

2 REPLIES
Cisco Employee

Re: ASA outbound policy NAT not working

Outbound connections from this smtp server will never be sourced from port 25 but, will be sourced from any high port. What you have is static PAT which is only for incoming connections from the internet.

So, if you want this server to look like 1.1.1.67 even for outbound then you need to add these lines:

nat (inside) 100 10.0.10.2 255.255.255.255

global (outside) 100 1.1.1.67

Use some nat ID that is not used. I just came up with 100.

-KS

Community Member

Re: ASA outbound policy NAT not working

Many thanks KS - that worked perfectly!

4458
Views
0
Helpful
2
Replies
CreatePlease to create content