cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
619
Views
0
Helpful
5
Replies

ASA STATIC NAT ISSUE

arumugasamy
Level 1
Level 1

Pros,

ASA firewall with 3 zones inside,outside,dmz are configured. The front end email server in dmz was natted to the public IP (static NAT) and MX  record also updated.

The firewall outside IP is x.x.x.171 (Public)

Email Nated IP address x.x.x.170 (Public)

show xlate shows global x.x.x.170 local y.y.y.12

y.y.y.12 is email front end server in dmz.

nat(dmz) 1 0.0.0.0

global (ouside) 1 interface

static (dmz,outside) x.x.x.170 y.y.y.12 netmask 255.255.255.255.

ACL applied in outside with required ports are opened.

The issue is that the user get the email and the header shows that it received with public IP x.x.x.171 of firewall outside interface instead of the MX record IP of x.x.x.170.

How can we solve this issue.

sami

5 Replies 5

Hi Sami,

It looks like the issue of Source NAT vs Destination NAT. You have not mentioned the version of your software.

Adding the following line should fix this for you.

static (outside,dmz) y.y.y.12 x.x.x.170 netmask 255.255.255.255

Cheers,

Mubarak

Syed,

Should I remove the current static nat and then apply yours and test the status?

No don't remove existing NAT. Add this one as well.

Syed, this is incorrect, you shouldn't need to add the following line:

static (outside,dmz) y.y.y.12 x.x.x.170 netmask 255.255.255.255

Arumugasamy, the existing static NAT statement is already sufficient:

static (dmz,outside) x.x.x.170 y.y.y.12 netmask 255.255.255.255

Please kindly perform a "clear xlate" to clear existing connection. You might be using the .171 earlier before configuring the static NAT statement therefore it still uses .171 for outbound mail (as you have nat/global pair statements) for outbound traffic.

Hi,

You can try creating a more specific NAT to achieve this for outbound traffic.

nat(dmz) 2 y.y.y.12 255.255.255.255

global (ouside) 2 x.x.x.170 netmask 255.255.255.255

Thanks,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: