Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3001
Views
0
Helpful
3
Replies

ASA5510-8.2 - Multiple public IP, NAT and SMTP problem

Go to solution
nicholas.t
Level 1
Level 1

‎12-14-2011 07:58 AM - edited ‎03-11-2019 03:02 PM

Hello,

i'm in need of some help here, we have multiple public ip.

1 is use for our ASA Outside interface (.179)

1 is use for PAT for SMTP with our mail server (.178)

I'm not able to resolve my problem, our MX Record and RDNS is setup to use (.178) but each time im sending email. if i look in the header the ip sent from is always .179 (The outside interface) and sometime mail bounce back with NO RDNS setup for .179. Can someone explain me where is the problem and where i should look to made sure my email goes out by .178 (I'm gessing thats a PAT or NAT problem)

Here more details,

Exch_PAT1 - Is our .178

DuchExc - Is our Internal Mail server

Here is part of my config 


global (outXXX) 1 interface

access-list no_nat_acl extended permit ip object-group inside_network object-group vpnusers_network 
access-list no_nat_acl extended permit ip object-group inside_network VLAN_100 255.255.255.0 
access-list outside_in extended permit tcp any host Exch_PAT1 eq smtp
access-list LAN_access_in extended permit tcp host DuchExc host Exch_PAT1 eq smtp 
nat (inside) 0 access-list no_nat_acl
nat (inside) 1 Internal_network 255.255.0.0
static (inside,outXXX) tcp Exch_PAT1 smtp DuchExc smtp netmask 255.255.255.255 
static (inside,outXXX) tcp Exch_PAT1 https DuchExc https netmask 255.255.255.255 
static (inside,outXXX) tcp Exch_PAT1 pop3 DuchExc pop3 netmask 255.255.255.255 
access-group outside_in in interface outXXX
access-group LAN_access_in in interface inside
route outXXX 0.0.0.0 0.0.0.0 X.X.X.177 1

Thanks in advance for your help,

Nicholas T.              

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎12-14-2011 09:31 AM

Hello Nicholas,

It is a NAT problem.

The problem here is that you are using port-forwarding and this is just for inbound traffic, so all the outbound traffic from that server will take the outside interface ip address (because of the PAT) so if you need to change this you will need to do a static one to one translation from that server.

Please rate helpful posts.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎12-14-2011 09:31 AM

Hello Nicholas,

It is a NAT problem.

The problem here is that you are using port-forwarding and this is just for inbound traffic, so all the outbound traffic from that server will take the outside interface ip address (because of the PAT) so if you need to change this you will need to do a static one to one translation from that server.

Please rate helpful posts.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
nicholas.t
Level 1
Level 1
In response to Julio Carvajal

‎12-14-2011 10:43 AM

Hello Jcarvaja,

Ok i try just adding those 2 lines

static (inside,outXXX) Exch_PAT1 DuchExc netmask 255.255.255.255 
static (outXXX,inside) DuchExc Exch_PAT1 netmask 255.255.255.255 

It work, but now im not sure i understand correctly. I know from what you tell me 
that i didnt had the one for outbound traffic. But what about beeing specific for the
port ? I'm gessing for specific port it is define in the ACL and not on the nat ?

Thanks to clarify this and thanks for your help

Nicholas T.
0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to nicholas.t

‎12-14-2011 11:05 AM

Hello Nicholas,

The thing is:

Port-forwarding: Its only for inbound traffic.

PAT: Its only for outbound traffic.

Static: Bi-derectional traffic

So in this scenario as soon as you send an email the source ip address (inside host) will be natted to the outside interface ip address ( PAT because is outbound traffic will match that nat rule) as per your nat configuration.

So on the outside world the users are going to see the SMTP traffic comming from the outside ASA ip address so creating a static one to one the ASA will now use that static entry on the nat configuration for the SMTP traffic.

The nat order on versions 8.2 and older versions is the following:

-NAT excempt (Nat 0 with ACL)

-Static Nat

-Policy nat/portforwarding

-Dynamic Nat/PAT

Let me know if this explains a little bit more the scenario or if there is something else I can do for you.

Please rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card