I'm trying to make a simple thing: to separate a traffic using "static" statements. However, the command is not working correctly. Please, check the attached file.
Let's see the details. I'm using ASA 5510 version 8.0(4). The problem is that, when I use mentioned "static" commands, the mail server stil tries to contact external SMTP servers using the "global" address configured to a regular NAT instead of using the static configured address. I have to force the static mapping of the right IP address to the right machine.
What am I doing wrong?
I appreciate the help.
Maybe I'm misunderstanding you, but are you trying to have your mail server go out as a different address than what your global interface ip is? If so, you can do:
global (outside) 2
nat (dmz) 2
It will go out as whatever address you want it to.
This is it, but I have two machines (1 web/dns server and 1 smtp server) sharing the same external IP address. I don't have a second available address. So, I guess I still have to use a "static" statement. Why my mapping doesn't work?
I'm not sure what you're wanting to do with the static commands. Statics are used to translate from one address to another.
If your public address is 126.96.36.199, and your mail server is 192.168.1.50, your static would be:
static (inside,outside) tcp 188.8.131.52 25 192.168.1.50 25 netmask 255.255.255.255
If you're sharing the public address, you can do:
static (inside,outside) tcp 184.108.40.206 80 192.168.1.100 80 netmask 255.255.255.255
The above tells the ASA to forward traffic that comes in on your public ip on port 25 to your mail server, and anything that comes in on port 80 will forward to your web server.
You'll also need an access-list on your outside interface that allows the traffic in:
access-list outside permit tcp any host 220.127.116.11 eq 25
access-list outside permit tcp any host 18.104.22.168 eq 80
access-list outside in interface outside
When you create your statics, try running clear xlate to make them effective immediately.
Oh, and any outbound traffic from either your web server or mail server will go out as your global ip address. NAT and global statements are used for outbound traffic, and statics are used for inbound generally.
This is all already done. Your last paragraph is what I'm facing as a problem. Let's see what you wrote:
"Oh, and any outbound traffic from either your web server or mail server will go out as your global ip address. NAT and global statements are used for outbound traffic, and statics are used for inbound generally."
Actually, if I'm not wrong, once I establish a static mapping (full or related to a single port), that machine will use that mapping to ANY connection being in->out or out->in. My problem is exactly this: my mail server is not using the static mapping. It's using the nat/global mapping.
You said yourself in an earlier post that you only had one address. That address is the one that you're receiving your mail on, and the one that your mail will go out. If your static is referencing your public address, then the static is working. Otherwise, I don't know what your real issue is.
my mail server is not using the static mapping. It's using the nat/global mapping.
How do you know it's using the global mapping and not the static if you only have the one address?
I apologize for any confusion. I have ONE address to share between my two servers. My company global IP address is not being considered for this case. As you can see in my attached file, I'm running a PAT to the other machines and the static mappings to the servers.
So let me get this straight:
Your ASA public address IS different than the public address that you have natted in your static config?
If you get on the mail server and go to http://www.whatismyip.com, do you get back the address of the ASA or the static address that you mapped?
Try this configuration:
static (dmz,outside) tcp outside_ip smtp dmz_ip_1 smtp
static (dmz,outside) udp outside_ip 53 dmz_ip_2 53
static (dmz,outside) tcp outside_ip 80 dmz_ip_2 80
nat (dmz) 1 dmz_ip_1 255.255.255.255
global (dmz) 1 outside_ip
nat (dmz) 2 dmz_net
global (outside) 2 interface