Solved: Re: Static Nat on ASA 5510 IOS version 8.2

chigumbab · ‎02-20-2012

Hi Guys

have a question. I have a ASA5510 with IOS version 8.2 . I have my firewall and behind it also have a mail server eg 192.168.1.x. When i send email from inside network it doesn't show as if it's coming grom the out side nated public IP of my server but IP of firewall. What am i missing my example nat statements are . Nat-control is disabled.

static (inside,outside) 196.68.99.x 192.168.1.x netmask 255.255.255.255

access-list inbound extended permit tcp any host 196.68.99.x eq 225

accesslist outbound extended permit host 192.168.1.x host 196.68.99.x

varrao · ‎02-21-2012

Hi Chigumbab,

Nope that would not work, because you have just done port forwarding and allowed only specfic ports on the xx.xx.xx.150 ip address, so the DNS traffic would definitely be natted to the outside interface, because of the nat-global statements that you have, just as a workaround add the statement at the end of all the statics :

static (inside,outside) tcp x.x.x.150 smtp x.x.x.20 smtp netmask 255.255.255.255

static (inside,outside) tcp x.x.x.150 587 x.x.x.20 587 netmask 255.255.255.255

static (inside,outside) tcp x.x.x.150 pop3 x.x.x.20 pop3 netmask 255.255.255.255

static (inside,outside) tcp x.x.x.150 3389 x.x.x.20 3389 netmask 255.255.255.255

static (inside,outside) tcp x.x.x.150 1433 x.x.x.20 1433 netmask 255.255.255.255

static (inside,outside) tcp x.x.x.150 3306 x.x.x.20 3306 netmask 255.255.255.255

static (inside,outside) x.x.x.150 x.x.x.20

and now if the server goes to the internet, it should show the IP x.x.x.150

Don't worry it would not allow any other ports to be opened as you have restricted the incoming ports through the ACL.

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

mvsheik123 · ‎02-20-2012

You don't need 'accesslist outbound extended permit host 192.168.1.x host 196.68.99.x'. Remove this and clear the existing translate for the internal IP (clear xlate local 192.168.1.x) and see if that fix the issue.

Thx

MS

chigumbab · ‎02-20-2012

Hi

Thank you for the reply. I tried that but it didn't work. What else do you suggest i try?

varrao · ‎02-20-2012

Hi,

can you provide me the output of:

packet-tracer input outside tcp 4.2.2.2 23456 196.68.99.x 80 detailed

and also can you provide the running config from the ASA, you can hide the ip's if you want.

Thanks,

Varun

Thanks,
Varun Rao

chigumbab · ‎02-21-2012

Varun

How are you man. We meet again. Thank you so much for your help last time. Please find attached the partial configs.

varrao · ‎02-21-2012

Hello Chigumbab,

Its nice to see you after a while as well

I checked the packet tracer and it is allowing all the packets, are all the ports not working or only some specific??

Can you take captures on the asa.

access-list cap permit tcp host xx.xx.xx.150 any

access-list cap permit tcp any host xx.xx.xx.150

access-list cap permit tcp any host xx.xx.xx.20

access-list cap permit tcp host xx.xx.xx.20 any

capture capin access-list cap interface inside

capture capo access-list cap interface outside

Then generate some traffic and collect the output of "show cap capin" and "show cap capo"

It would be interesting to see where the packets are being dropped.

Thanks,

Varun

Thanks,
Varun Rao

chigumbab · ‎02-21-2012

Hi Varun

It's allowing the packets in and out that's working fine but my issue is, for reverse DNS on the mail server, traffic originating from internal ip x.x.x.20 on 25 is showing as if it's coming from the Firewall external IP which is x.x.x.253 instead of x.x.x.150. I want traffic coming from the internal IP x.x.x.20 to be natted and goes out via it's nated public IP x.x.x.150 and not the firewall external IP x.x.x.253

varrao · ‎02-21-2012

Hi Chigumbab,

Nope that would not work, because you have just done port forwarding and allowed only specfic ports on the xx.xx.xx.150 ip address, so the DNS traffic would definitely be natted to the outside interface, because of the nat-global statements that you have, just as a workaround add the statement at the end of all the statics :

static (inside,outside) tcp x.x.x.150 smtp x.x.x.20 smtp netmask 255.255.255.255

static (inside,outside) tcp x.x.x.150 587 x.x.x.20 587 netmask 255.255.255.255

static (inside,outside) tcp x.x.x.150 pop3 x.x.x.20 pop3 netmask 255.255.255.255

static (inside,outside) tcp x.x.x.150 3389 x.x.x.20 3389 netmask 255.255.255.255

static (inside,outside) tcp x.x.x.150 1433 x.x.x.20 1433 netmask 255.255.255.255

static (inside,outside) tcp x.x.x.150 3306 x.x.x.20 3306 netmask 255.255.255.255

static (inside,outside) x.x.x.150 x.x.x.20

and now if the server goes to the internet, it should show the IP x.x.x.150

Don't worry it would not allow any other ports to be opened as you have restricted the incoming ports through the ACL.

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao

chigumbab · ‎02-21-2012

Thanks Varun, you are the man!!!!!!!

varrao · ‎02-21-2012

Hey thats great!!!! hope to see you soon.

Varun

Thanks,
Varun Rao