Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PAT Multiple Services behind 1 IP Address

Hi all

Think I'm going a bit crazy as I can't seem to get this nailed. I'm running an Exchange Server box that has 2 IP addresses bound to the NIC. One of the is the SMTP (port 25) and the other is listening on 443 for external access to a Public Folder. They both have to share the same public IP and SMTP needs to present this same Public IP for delivering email. How can I achieve this using ASDM on v7.1 of ASDM and 9.1 of ASA S/W (ASA 5525-X)

Whatever I seem to try will either let one or the other service accept incoming connections but not both.

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: PAT Multiple Services behind 1 IP Address

Hi,

There are a couple of NAT configurations above that I am not sure what they are for

But I think the main issue here is that you have configured Static NAT for both of the local IP addresses using the same public IP address with the following configurations.

object network SERVER22_LAN_SMTP

host 172.16.0.1

  nat (Legacy_LAN,Outside_100Mb) static SERVER22_OUTSIDE_SMTP


object network EasyCallOWA_LAN

host 172.16.0.2

nat (Legacy_LAN,Outside_100Mb) static EasyCallOWA_Outside

Since this is a Static NAT it means the local IP address will be bound to a single public IP.

I imagine that connections initiated from these hosts work as usual but I would imagine that connections incoming from the Internet would not be able to utilize both of these rules as they are overlapping.

I mean connections coming from the "Legacy_LAN" that are outbound will probably correctly translate to the public IP address. But inbound connections towards the public IP address will all be forwarded to 172.16.0.1 (if that is the actual IP address). This is because of the logic the ASA uses to order the Network Object NAT rules. In this case since the NAT type (Static), the number of source addresses for nat (Single host) matches the ASA will check which of the source IP addresses is the lowest of value (172.16.0.1) and that will be the destination after NAT always for inbound connections from the Internet. (unless some Section 1 NAT rule overrides this, which it can)

So in your situation it would seem to me that the correct NAT configuration to accomplist the following

  • Use public IP address 31.1.1.1 to receive SMTP and HTTPS connections (SMTP for 172.16.0.1 and HTTPS for 172.16.0.2)
  • Use public IP address 31.1.1.1 for outbound SMTP connections (For host 172.16.0.1 only)

Would be to configure Static PAT and Dynamic PAT in the following way

object network SERVER-SMTP

host 172.16.0.1

nat (Legacy_LAN,Outside_100Mb) static 31.1.1.1 service tcp 25 25

object network SERVER-HTTPS

host 172.16.0.2

nat (Legacy_LAN,Outside_100Mb) static 31.1.1.1 service tcp 443 443

object-group network SERVER-SMTP-SOURCE

network-object host 172.16.0.1

object network SERVER-SMTP-PUBLIC

host 31.1.1.1

nat (Legacy_LAN,Outside_100Mb) after-auto 1 source dynamic SERVER-SMTP-SOURCE SMTP-SERVER-PUBLIC

Provided that no other NAT rule overrides the above functionality, they would work in the following way

  • SMTP connections inbound to 31.1.1.1 would be forwarded to 172.16.0.1
  • HTTPS connections inbound to 31.1.1.1 would be forwarded to 172.16.0.2
  • ALL outbound connections initiated from 172.16.0.1 anywhere would use PAT IP address of 31.1.1.1

As I said, I dont know what the rest of your configurations above are meant for but the above example I have given should to my understanding accomplish what you are after.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed.

- Jouni

3 REPLIES
Super Bronze

Re: PAT Multiple Services behind 1 IP Address

Hi,

So if I understood you correctly you will need to forward SMTP and HTTPS to the same using single public IP address and also have the server use that public IP address for outbound SMTP connections?

If this is true then it would be a lot easier to go through this with CLI configurations.

First of all we would need to see the current NAT setup on the firewall to know what the change/remove/add

Also we need to know that do you only have a single public IP address (of the ASA interface) at your disposal or do you have multiple public IP addresses and are dedicating one for this server alone?

You can get the CLI format NAT configuration through ASDM also.

You can go

  • ASDM
  • Tools -menu
  • Command Line Interface
  • Type "show run nat" on the text field (wihtout the "")
  • Send the command to the device
  • Copy/Paste the output here on the forums. Remove complete public IP addresses

- Jouni

New Member

PAT Multiple Services behind 1 IP Address

Hi Jouni

Thanks for the quick reply, I know how to use the CLI but I'm waaaaay more comfortable in the GUI at the moment for firewalls

The relevant bits from sh run nat is

nat (Outside_100Mb,Legacy_LAN) source static EasyCallOWA_Outside EasyCallOWA_Outside destination static EasyCallOWA_LAN EasyCallOWA_LAN service HTTPS HTTPS

object network SERVER22_LAN_SMTP

nat (Legacy_LAN,Outside_100Mb) static SERVER22_OUTSIDE_SMTP

object network EasyCallOWA_LAN

nat (Legacy_LAN,Outside_100Mb) static EasyCallOWA_Outside

object network EasyCallOWA_Outside

nat (any,any) static EasyCallOWA_LAN

nat (Legacy_LAN,Outside_100Mb) after-auto source static any any destination static Exchange_OWA_Outside SERVER22_LAN_OWA net-to-net unidirectional no-proxy-arp

SERVER22_LAN_SMTP is 172.16.0.1

SERVER22_OUTSIDE_SMTP is 31.1.1.1

EASYCALLOWA_LAN is 172.16.0.2

EASYCALLOWA_OUTSIDE is 31.1.1.1

I have mulitple IP addresses available but they are all in use, hosting multiple HTTP/HTTPS domains for various services. I also have 3 configured for my phone system to allow SIP traffic etc. etc. etc

Thanks

Super Bronze

Re: PAT Multiple Services behind 1 IP Address

Hi,

There are a couple of NAT configurations above that I am not sure what they are for

But I think the main issue here is that you have configured Static NAT for both of the local IP addresses using the same public IP address with the following configurations.

object network SERVER22_LAN_SMTP

host 172.16.0.1

  nat (Legacy_LAN,Outside_100Mb) static SERVER22_OUTSIDE_SMTP


object network EasyCallOWA_LAN

host 172.16.0.2

nat (Legacy_LAN,Outside_100Mb) static EasyCallOWA_Outside

Since this is a Static NAT it means the local IP address will be bound to a single public IP.

I imagine that connections initiated from these hosts work as usual but I would imagine that connections incoming from the Internet would not be able to utilize both of these rules as they are overlapping.

I mean connections coming from the "Legacy_LAN" that are outbound will probably correctly translate to the public IP address. But inbound connections towards the public IP address will all be forwarded to 172.16.0.1 (if that is the actual IP address). This is because of the logic the ASA uses to order the Network Object NAT rules. In this case since the NAT type (Static), the number of source addresses for nat (Single host) matches the ASA will check which of the source IP addresses is the lowest of value (172.16.0.1) and that will be the destination after NAT always for inbound connections from the Internet. (unless some Section 1 NAT rule overrides this, which it can)

So in your situation it would seem to me that the correct NAT configuration to accomplist the following

  • Use public IP address 31.1.1.1 to receive SMTP and HTTPS connections (SMTP for 172.16.0.1 and HTTPS for 172.16.0.2)
  • Use public IP address 31.1.1.1 for outbound SMTP connections (For host 172.16.0.1 only)

Would be to configure Static PAT and Dynamic PAT in the following way

object network SERVER-SMTP

host 172.16.0.1

nat (Legacy_LAN,Outside_100Mb) static 31.1.1.1 service tcp 25 25

object network SERVER-HTTPS

host 172.16.0.2

nat (Legacy_LAN,Outside_100Mb) static 31.1.1.1 service tcp 443 443

object-group network SERVER-SMTP-SOURCE

network-object host 172.16.0.1

object network SERVER-SMTP-PUBLIC

host 31.1.1.1

nat (Legacy_LAN,Outside_100Mb) after-auto 1 source dynamic SERVER-SMTP-SOURCE SMTP-SERVER-PUBLIC

Provided that no other NAT rule overrides the above functionality, they would work in the following way

  • SMTP connections inbound to 31.1.1.1 would be forwarded to 172.16.0.1
  • HTTPS connections inbound to 31.1.1.1 would be forwarded to 172.16.0.2
  • ALL outbound connections initiated from 172.16.0.1 anywhere would use PAT IP address of 31.1.1.1

As I said, I dont know what the rest of your configurations above are meant for but the above example I have given should to my understanding accomplish what you are after.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed.

- Jouni

162
Views
0
Helpful
3
Replies