Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT , ASA 9.1

Hello,

 

 

                                      Outside

                                      ip: 10.7.128.172

-DMZ                                       |

Ironport                   ---------   ASA

10.2.129.95                            |

                                        Inside

                                        Exchange Server

                                          10.2.128.43

     

I wanted to migrate from ASA 5520 (version 8.4.2) to ASA 5515-X (version 9.1.3). The ASA is configured with the following interfaces: Inside, Outside and DMZ. In the inside zone I have the exchange server and in the DMZ Zone I have cisco Ironport which relays the smtp packets to the internal exchange server.

With 5520 I used the following commands and Nat worked perfectly:

object CultexMail-1

host 10.2.128.43

nat (internal,outside) static 10.7.128.172 service tcp pop3 pop3

 

object CultexMail-2

host 10.2.128.43
 nat (linternal,outside) static 10.7.128.172 service tcp www www

 

object ironport

host 10.2.129.95
 nat (dmz,outside) static 10.7.128.172 service tcp smtp smtp
 

e.t.c

 

After replacing the firewall with the new one I could receive emails  but I could not access the web interface  of exchange from outside  and I could not send outgoing emails.

After adding the following commands I was able to access the web interface of my exchange but no luck with sending outgoing emails:

object ironport-test

host 10.2.129.95

nat (dmz,outside) dynamic  10.7.128.172

 

object cultexmail-test

host 10.2.128.43

nat (inside, outside) dynamic 10.7.128.172

 

Do you have any idea for this implementation how Nat rules should be (for Cisco ASA version 9.1)? Thank you.

 

 

  • Firewalling
1 ACCEPTED SOLUTION

Accepted Solutions

Hi, I guess you have a

Hi,

 

I guess you have a overlapping NAT rule. Can you check if any conflicting rule persists in you configs. try getting sh nat output and cross verify.

 

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff2b12a9c0, priority=0, domain=inspect-ip-options, deny=true
        hits=35237, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside1, output_ifc=any

 

Regards

Karthik

23 REPLIES
VIP Green

I would first suggest that

I would first suggest that you change your NAT rules from dynamic to static, as you only have one IP.  Also you will need to specify ports that you are translating otherwise you will be NATing all ports to the one server and no other PC on the network will be able to reach the internet.

object cultexmail-test
host 10.2.128.43
nat (inside, outside) static 10.7.128.172 service tcp http http

change this first, and then test.  Report back the results please.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

Hello MAriusGurrerud

Hello MAriusGurrerud,

Initially, as you suggested, I used the static NAT rules with my new firewall 5515. The same rules I have now at my cisco 5520 and the mail servers work right:

 

nat (outside1,lan_Servers) source static syzefxis_ranges syzefxis_ranges destination static CultMAIL CultMAIL    // exempt wan mail traffic from use translation - because branches use internal dns server

 

// port forwarding  incoming  smtp traffic to ironport  and the other protocols (http,https,imap) to internal exchange server.


 nat (lan_Servers,outside1) static 10.7.128.172 service tcp pop3 pop3
 nat (lan_Servers,outside1) static 10.7.128.172 service tcp www www
 nat (dmz_webservers,outside1) static 10.7.128.172 service tcp smtp smtp
 nat (lan_Servers,outside1) static 10.7.128.172 service tcp imap4 imap4
 nat (lan_Servers,outside1) static 10.7.128.172 service tcp https https
 nat (lan_Servers,outside1) static 10.7.128.172 service tcp 135 135

 

The result with asa 5515 version 9.1.3 was tha I could get incoming mail but nothing else. I found out an article at web "http://tsbraindump.blogspot.gr/2013/04/port-address-translation-and-nat-in.html" that proposed  (as weird it seems to be - with ASA 9.1) to create dynamic NAT rule for outgoing mail traffic. Then I added to the above configuration the rule:

object cultexmail-test

host 10.2.128.43

nat (inside, outside) dynamic 10.7.128.172

 

After the addition of the above command I could access  the exchange server  webpage but still cannot send mails from my internal exchange to outside (for example from my mail server to yahoo mail).

 

 

 

 

Hi, I guess you have a

Hi,

 

I guess you have a overlapping NAT rule. Can you check if any conflicting rule persists in you configs. try getting sh nat output and cross verify.

 

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff2b12a9c0, priority=0, domain=inspect-ip-options, deny=true
        hits=35237, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside1, output_ifc=any

 

Regards

Karthik

New Member

Hello, I do not see any

Hello,

 

I do not see any difference between sh nat detail output and my configuration commands:

Manual NAT Policies (Section 1)

//exempt wan traffic from translasion, because branches use headquarter dns server to resolve addresses.
1 (outside1) to (lan_Servers) source static syzefxis_ranges syzefxis_ranges   destination static CultMAIL CultMAIL
    translate_hits = 7, untranslate_hits = 9
    Source - Origin: 10.179.114.0/24, 10.179.115.0/24, 10.179.116.0/24, 10.179.117.0/24
    10.179.118.0/24, 10.179.119.0/24, 10.179.120.0/24, 10.179.121.0/24
    10.179.122.0/24, 10.179.123.0/24, 10.179.125.0/24, 10.179.115.174/32
    10.179.141.0/24, 10.179.142.0/24, 10.34.96.1/32, 10.34.96.2/31
    10.34.96.4/30, 10.34.96.8/29, 10.34.96.16/28, 10.34.96.32/27
    10.34.96.64/26, 10.34.96.128/25, 10.34.97.0/25, 10.34.97.128/26
    10.34.97.192/27, 10.34.97.224/28, 10.34.97.240/29, 10.34.97.248/30
    10.34.97.252/31, 10.34.97.254/32, Translated: 10.179.114.0/24, 10.179.115.0/24, 10.179.116.0/24, 10.179.117.0/24
    10.179.118.0/24, 10.179.119.0/24, 10.179.120.0/24, 10.179.121.0/24
    10.179.122.0/24, 10.179.123.0/24, 10.179.125.0/24, 10.179.115.174/32
    10.179.141.0/24, 10.179.142.0/24, 10.34.96.1/32, 10.34.96.2/31
    10.34.96.4/30, 10.34.96.8/29, 10.34.96.16/28, 10.34.96.32/27
    10.34.96.64/26, 10.34.96.128/25, 10.34.97.0/25, 10.34.97.128/26
    10.34.97.192/27, 10.34.97.224/28, 10.34.97.240/29, 10.34.97.248/30
    10.34.97.252/31, 10.34.97.254/32
    Destination - Origin: 10.2.128.43/32, 10.2.128.72/32, Translated: 10.2.128.43/32, 10.2.128.72/32

//nat rules for site-to-site vpn-do not nat
2 (inside_data) to (outside1) source static NETWORK_OBJ_10.2.128.0_24 NETWORK_OBJ_10.2.128.0_24   destination static NETWORK_OBJ_192.168.15.0_24 NETWORK_OBJ_192.168.15.0_24 no-proxy-arp route-lookup
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.2.128.0/24, Translated: 10.2.128.0/24
    Destination - Origin: 192.168.15.0/24, Translated: 192.168.15.0/24

//disabled rule
3 (lan_Servers) to (outside1) source dynamic cultexmail extmail_ip   inactive
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.2.128.43/32, Translated: 10.7.128.172/32

 

//mail nat rules

Auto NAT Policies (Section 2)
1 (lan_Servers) to (outside1) source static Cultexmail-1 10.7.128.172   service tcp pop3 pop3
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.2.128.43/32, Translated: 10.7.128.172/32
    Service - Protocol: tcp Real: pop3 Mapped: pop3
2 (lan_Servers) to (outside1) source static Cultexmail-2 10.7.128.172   service tcp www www
    translate_hits = 0, untranslate_hits = 7
    Source - Origin: 10.2.128.43/32, Translated: 10.7.128.172/32
    Service - Protocol: tcp Real: www Mapped: www
3 (lan_Servers) to (outside1) source static Cultexmail-3 10.7.128.172   service tcp imap4 imap4
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.2.128.43/32, Translated: 10.7.128.172/32
    Service - Protocol: tcp Real: imap4 Mapped: imap4
4 (lan_Servers) to (outside1) source static Cultexmail-4 10.7.128.172   service tcp https https
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.2.128.43/32, Translated: 10.7.128.172/32
    Service - Protocol: tcp Real: https Mapped: https
5 (lan_Servers) to (outside1) source static Cultexmail-5 10.7.128.172   service tcp 135 135
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.2.128.43/32, Translated: 10.7.128.172/32
    Service - Protocol: tcp Real: 135 Mapped: 135
6 (dmz_webservers) to (outside1) source static CultEmailEDGE 10.7.128.172   service tcp smtp smtp
    translate_hits = 0, untranslate_hits = 1
    Source - Origin: 10.2.129.95/32, Translated: 10.7.128.172/32
    Service - Protocol: tcp Real: smtp Mapped: smtp

 

THE  CONFIGURATION OF ASA

nat (outside1,lan_Servers) source static syzefxis_ranges syzefxis_ranges destination static CultMAIL CultMAIL
nat (inside_data,outside1) source static NETWORK_OBJ_10.2.128.0_24 NETWORK_OBJ_10.2.128.0_24 destination static NETWORK_OBJ_192.168.15.0_24 NETWORK_OBJ_192.168.15.0_24 no-proxy-arp route-lookup
nat (lan_Servers,outside1) source dynamic cultexmail extmail_ip inactive
 nat (lan_Servers,outside1) static 10.7.128.172 service tcp pop3 pop3
 nat (lan_Servers,outside1) static 10.7.128.172 service tcp www www
 nat (dmz_webservers,outside1) static 10.7.128.172 service tcp smtp smtp
 nat (lan_Servers,outside1) static 10.7.128.172 service tcp imap4 imap4
 nat (lan_Servers,outside1) static 10.7.128.172 service tcp https https
 nat (lan_Servers,outside1) static 10.7.128.172 service tcp 135

object-group network CultMAIL
 network-object object Cultexmail-1
 network-object object Cultexmail1

 

 

New Member

OK I thik I have at least one

OK I thik I have at least one error at my configuration...I post the configuration of my current firewall:

(outside1) to (lan_Servers) source static syzefxis_ranges syzefxis_ranges   destination static CultMAIL CultMAIL
    translate_hits = 27799, untranslate_hits = 243
    Source - Origin: 10.179.114.0/24, 10.179.115.0/24, 10.179.116.0/24, 10.179.117.0/24
    10.179.118.0/24, 10.179.119.0/24, 10.179.120.0/24, 10.179.121.0/24
    10.179.122.0/24, 10.179.123.0/24, 10.179.125.0/24, 10.179.115.174/32
    10.179.141.0/24, 10.179.142.0/24, 10.34.96.1/32, 10.34.96.2/31
    10.34.96.4/30, 10.34.96.8/29, 10.34.96.16/28, 10.34.96.32/27
    10.34.96.64/26, 10.34.96.128/25, 10.34.97.0/25, 10.34.97.128/26
    10.34.97.192/27, 10.34.97.224/28, 10.34.97.240/29, 10.34.97.248/30
    10.34.97.252/31, 10.34.97.254/32, Translated: 10.179.114.0/24, 10.179.115.0/24, 10.179.116.0/24, 10.179.117.0/24
    10.179.118.0/24, 10.179.119.0/24, 10.179.120.0/24, 10.179.121.0/24
    10.179.122.0/24, 10.179.123.0/24, 10.179.125.0/24, 10.179.115.174/32
    10.179.141.0/24, 10.179.142.0/24, 10.34.96.1/32, 10.34.96.2/31
    10.34.96.4/30, 10.34.96.8/29, 10.34.96.16/28, 10.34.96.32/27
    10.34.96.64/26, 10.34.96.128/25, 10.34.97.0/25, 10.34.97.128/26
    10.34.97.192/27, 10.34.97.224/28, 10.34.97.240/29, 10.34.97.248/30
    10.34.97.252/31, 10.34.97.254/32
    Destination - Origin: 10.2.128.43/32, 10.2.128.72/32, Translated: 10.2.128.43/32, 10.2.128.72/32

Auto NAT Policies (Section 2)
1 (lan_Servers) to (outside1) source static Cultexmail-1 10.7.128.172   service tcp pop3 pop3
    translate_hits = 9, untranslate_hits = 7257
    Source - Origin: 10.2.128.43/32, Translated: 10.7.128.172/32
    Service - Protocol: tcp Real: pop3 Mapped: pop3
2 (lan_Servers) to (outside1) source static Cultexmail-2 10.7.128.172   service tcp www www
    translate_hits = 1, untranslate_hits = 5237
    Source - Origin: 10.2.128.43/32, Translated: 10.7.128.172/32
    Service - Protocol: tcp Real: www Mapped: www
3 (lan_Servers) to (outside1) source static Cultexmail-3 10.7.128.172   service tcp imap4 imap4
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.2.128.43/32, Translated: 10.7.128.172/32
    Service - Protocol: tcp Real: imap4 Mapped: imap4
4 (lan_Servers) to (outside1) source static Cultexmail-4 10.7.128.172   service tcp https https
    translate_hits = 475, untranslate_hits = 167881
    Source - Origin: 10.2.128.43/32, Translated: 10.7.128.172/32
    Service - Protocol: tcp Real: https Mapped: https
5 (lan_Servers) to (outside1) source static Cultexmail-5 10.7.128.172   service tcp 135 135
    translate_hits = 0, untranslate_hits = 3279
    Source - Origin: 10.2.128.43/32, Translated: 10.7.128.172/32
    Service - Protocol: tcp Real: 135 Mapped: 135
6 (dmz_webservers) to (outside1) source static CultEmailEDGE 10.7.128.172   service tcp smtp smtp
    translate_hits = 0, untranslate_hits = 176491
    Source - Origin: 10.2.129.27/32, Translated: 10.7.128.172/32
    Service - Protocol: tcp Real: smtp Mapped: smtp

 

CultEmailEDGE=not ironport

 

a)At NAT section 1 there is no second nat rule for my site-to-site vpn and this is right, because I do not use nat or pat to translate the addresses of my internal users to my ASA's outside interface address. So I do not have to exempt any traffic from 10.2.128.0 to 192.168.15.0. In addition I have a mistake at this rule because the 10.2.128.0 network is at interface "lan_servers" and not "internal_users".

 

b)If you check again the above NAT rules of my current firewall the rule about smtp port forwarding, forwards smtp traffic to an old anti-spam server. We replaced this server with cisco ironport. Our provider nated our real address of ironport (10.2.129.95) to a public address (x.x.x.x).Adterwords we requested from our provider to change the mx records of our mail server mail.X.gr, and add the public address of ironport with the same priority. If we reruest the mx records from a public server we see:

10(priority)       mail.X.gr(hostname) X.X.X.X (mail.public address)

(this X.X.X.X publiv address is translated to 10.7.128.172 address.We want to do port forward with this address,,,X.X.X.X -> 10.7.128.172)

 

10(priority) ironport.x.gr(hostname) Y.Y.Y.Y (ironport public address)

(Y.Y.Y.Y is the public address of ironport, Y.Y.Y.Y->10.2.129.95)

 

The real question now is do I need the last rule to port forward any smtp packet from 10.7.128.172 to my ironport ?

 

 

New Member

Also this document may shed

Also this document may shed some light https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

Regards,

Yadhu

Regards, Tony http://yadhutony.blogspot.com

Hi, Do you see any logs for

Hi,

 

Do you see any logs for NAT removal or some error messages related to NAT?

 

Because there is a bug which might be related to this issue.

CSCun95075 - ASA drops packet due to nat-no-xlate-to-pat-pool after removing NAT rule

 

Symptom:
Once a twice NAT rule with a service translation is added, other traffic on the interface may also be dropped with a reason of nat-no-xlate-to-pat-pool. This is expected behavior and more details can be found here:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/access_fwaaa.html#wp1331733

However, if the NAT rule references an object-group and that object-group is changed while the NAT rule is still configured, traffic may still be dropped even after removing the NAT rule.

Conditions:
All of the following conditions must be matched to see this issue:

1) The ASA is configured with a twice NAT rule that uses a service translation
2) The object-group referenced in the NAT rule is edited (i.e. a new network-object is added to it) while the NAT rule is still configured
3) The NAT rule is removed from the configuration

Workaround:
Reloading the ASA after the offending NAT rule is removed will resolve the issue.

 

Bug Fixed in release : 9.1.5(1) or 9.1.2(100)

Regards

Karthik

New Member

Dear Karthik, First of all

Dear Karthik,

 

First of all thank you for your help. In my new firewall initially I had those rules:


nat (outside1,lan_Servers) source static syzefxis_ranges syzefxis_ranges destination static CultMAIL CultMAIL
 nat (lan_Servers,outside1) static 10.7.128.172 service tcp pop3 pop3
 nat (lan_Servers,outside1) static 10.7.128.172 service tcp www www
 nat (dmz_webservers,outside1) static 10.7.128.172 service tcp smtp smtp
 nat (lan_Servers,outside1) static 10.7.128.172 service tcp imap4 imap4
 nat (lan_Servers,outside1) static 10.7.128.172 service tcp https https
 nat (lan_Servers,outside1) static 10.7.128.172 service tcp 135 135

 

 I copied them from my old 5520 ASA firewall (version 8.4.2) whith my network objects. From my configuratiion do you think that I may have problem with this bug?  I used asa real time logging at the migration time but did not see any weird logs about nat and I would like to add that with the command "sh nat detail" I could see "counts" of "untranslated_hits" to be increasing  for the right rules. This is correct as I have NAt rules of type "NAT (inside,outside)" and I had incoming traffic.

Seems to be the bug only as

Seems to be the bug only as per my knowledge while looking at the issue.

Can you remove all the rules and object-group once and restart the firewall.... then you configure once again with the object-group and NAT rules..... and then try to access all the required access.

Either you can go with TAC case or you can try with next OS version which has the fixed release of this bug.

 

Regards

Karthik

1392
Views
0
Helpful
23
Replies