Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Need assistance configuring NAT for two mail servers

Hi,

I was hoping somebody can help me with CISCO ASA programing (version 8.2 (1)) I am trying to set up two things:

1. Inboud https access to load balancer that sends the traffic to two exchange servers for OWA, outlook anywhere etc...

2. Outbound SMTP access from two exchange servers that is nated to single external IP address (but different from external interface of the firewall)

This is what i did so far (IP addresses are fake obviously):

define server objects:

name 192.168.1.65 INT_LB_MAIL description virtual mail service on load balancer

name 207.207.207.100 EXT_MAIL

name 192.168.1.127 INT_EX1 description exchange server 1

name 192.168.1.128 INT_EX2 description exchange server 2

create access rules for inbound SMTP and HTTPS traffic to load balancer

access-list WAN_LAN extended permit tcp any host EXT_MAIL eq https

access-list WAN_LAN extended permit tcp any host EXT_MAIL eq smtp

Now its the nats that i am having problems with, not really sure how to do this so load balancer answers https requests and two exchange servers can send email out while natted to that public IP that i indicated:

static (LAN,WAN) EXT_MAIL INT_LB_MAIL netmask 255.255.255.255

I skipped the outbound rules because i don't have problems with them, my email is going out right now but two exchange servers are nating to the interface address which i am trying to avoid.

Any help would be greatly appreciated.

Thanks.

Everyone's tags (4)
3 REPLIES
Hall of Fame Super Blue

Re: Need assistance configuring NAT for two mail servers

Marcin

So are you saying that this -

static (LAN,WAN) EXT_MAIL INT_LB_MAIL netmask 255.255.255.255

is not working because it looks fine to me. Or are you asking about how to do the outbound mail server access ?

If so -

access-list mail_out permit tcp INT_EX1 any eq smtp

access-list mail_out permit tcp INT_EX2 any eq smtp

nat  (LAN) access-list mail_out

global (WAN) (

should be unqiue ie. a number you are not already using and it must obviously match between the nat/global statements.

The above is dynamic policy NAT ie. it only works from the inside to outside but it sounds like that is what you want.

Jon

New Member

Re: Need assistance configuring NAT for two mail servers

Jon,

Thanks for your answer, let me address your questions first.

Right now everything is working with the exception that my two exchange servers when they send email out they are natting to the WAN interface IP address rather than 207.207.207.100 (EXT_MAIL) that i want.  I will try your suggestion and add below statements with some tweaks, can you comment on them?

Given that i have this statement in my config: access-group LAN_WAN in interface LAN

I will add the two new access- list statements you suggested and then associate it to the LAN interface.  I dont want other stuff nat to that EXT_MAIL IP address.

access-list mail_out permit tcp INT_EX1 any eq smtp

access-list mail_out permit tcp INT_EX2 any eq smtp

Now i think i need to associate that new access list mail_out with LAN interface by running this:

access-group mail_out in interface LAN

And then add these two below statemens:

nat  (LAN) 2 access-list mail_out

global (WAN) 2 EXT_MAIL

Question?

Given that below two statements already exist in my config would you recommend i change anything else in the above statements?

global (WAN) 1 interface

nat (LAN) 1 CORPLAN 255.255.255.0

Thanks again for your help.

Hall of Fame Super Blue

Re: Need assistance configuring NAT for two mail servers

Marcin

The access-list mail_out is for the NAT, it should not be added to any acl applied to an interface. With dynamic policy NAT you have to use an acl but that is purely so you can specify what you want to NAT. So don't apply to any interface or add it to any acl on an interface.

You should be fine with the additon nat/global statements as they are using a different nat id.

Jon

252
Views
0
Helpful
3
Replies
CreatePlease to create content