Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

ASA - Added a public server and it is restricted to that traffic

I added an internal mail server to a brand new ASA5510 today.  I used the GUI because it's a pretty straight forward install.  Anyway, I added a mail server to allow port 25 traffic inbound on a static nat address dedicated to that server.  But now, that server can't do anything else on the internet: Browsing or DNS lookups, etc.  The server is also the DNS server internally.  What am I most likely missing?

1 ACCEPTED SOLUTION

Accepted Solutions

Hi It not about MAC adddress

Hi 

It not about MAC adddress it about proxy arp

  • Addresses on the same network as the mapped interface.

If you use addresses on the same network as the mapped interface, the ASA uses proxy ARP to answer any ARP requests for the mapped addresses, thus intercepting traffic destined for a mapped address. This solution simplifies routing because the ASA does not have to be the gateway for any additional networks. This solution is ideal if the outside network contains an adequate number of free addresses, a consideration if you are using a 1:1 translation like dynamic NAT or static NAT. Dynamic PAT greatly extends the number of translations you can use with a small number of addresses, so even if the available addresses on the outside network is small, this method can be used. For PAT, you can even use the IP address of the mapped interface.


Note If you configure the mapped interface to be any interface, and you specify a mapped address on the same network as one of the mapped interfaces, then if an ARP request for that mapped address comes in on a different interface, then you need to manually configure an ARP entry for that network on the ingress interface, specifying its MAC address (see the arp command). Typically, if you specify any interface for the mapped interface, then you use a unique network for the mapped addresses, so this situation would not occur.


 

  • Addresses on a unique network.

If you need more addresses than are available on the mapped interface network, you can identify addresses on a different subnet. The upstream router needs a static route for the mapped addresses that points to the ASA. Alternatively for routed mode, you can configure a static route on the ASA for the mapped addresses, and then redistribute the route using your routing protocol. For transparent mode, if the real host is directly-connected, configure the static route on the upstream router to point to the ASA: specify the bridge group IP address. For remote hosts in transparent mode, in the static route on the upstream router, you can alternatively specify the downstream router IP address.

 

Mapped Addresses and Routing

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_overview.html

 

HTH

Sandy

10 REPLIES

 Hi , Check on your NAT

 

Hi ,

 Check on your NAT settings . Looks like you havent configured properly . Thereby you have lost all connection towards internet . Share me your CLI config for more support

HTH

Sandy.

 

Community Member

Here is scrubbed config.  We

Here is scrubbed config.  We started with nothing but the PAT config and everything as far as browsing and DNS worked from all computers.  The minute I added a static NAT for the mail server and allowed SMTP traffic inbound, the mail server (MS SBS) was no longer able to DNS lookups, which halted everyone from browsing.

 


ASA Version 8.2(5)
!
hostname ciscoasa

names
name 4.4.4.209 Internet_Gateway
name 192.168.2.75 RDP1
name 192.168.2.253 Mail_Server
name 4.4.4.222 Public_RDP1
name 192.168.2.250 VLAN_Switch
name 192.168.200.0 VLAN50
name 192.168.20.0 VLAN101
name 192.168.10.0 VLAN102
name 192.168.1.0 VLAN103
name 4.4.4.210 Public_Mail
!
interface Ethernet0/0
    switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.2.254 255.255.255.0
!
interface Vlan2
    nameif outside
    security-level 0
    ip address 4.4.4.211 255.255.255.240
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object-group service RDP tcp-udp
    description 3389-TCPUDP
    port-object eq 3389
object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
object-group network SPAM_Filter_Mail_Servers
    ** Bunch of Network Objects to allow SPAM Filtering servers to deliver mail **
object-group service SBS_Services
    description Non SMTP Services
    service-object tcp-udp eq 3389
     service-object tcp eq www
     service-object tcp eq https
    
access-list global_mpc extended permit ip any any
access-list outside_access extended permit tcp object-group SPAM_Filter_Mail_Servers host Public_Mail eq smtp
access-list outside_access extended permit object-group SBS_Services any host Public_Mail
access-list outside_access extended permit object-group TCPUDP any host Public_RDP1 object-group RDP

pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400

global (outside) 2 4.4.4.215-4.4.4.219 netmask 255.0.0.0
global (outside) 1 interface
nat (inside) 2 0.0.0.0 0.0.0.0
static (inside,outside) Public_RDP1 RDP1 netmask 255.255.255.255
static (inside,outside) Public_Mail Mail_Server netmask 255.255.255.255

access-group outside_access in interface outside

route outside 0.0.0.0 0.0.0.0 Internet_Gateway 1
route inside VLAN103 255.255.255.0 VLAN_Switch 1
route inside VLAN102 255.255.255.0 VLAN_Switch 1
route inside VLAN101 255.255.255.0 VLAN_Switch 1
route inside VLAN50 255.255.255.0 VLAN_Switch 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match access-list global_mpc
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect dns
  inspect icmp
!
service-policy global_policy global

: end
asdm location Internet_Gateway 255.255.255.255 inside
asdm location Public_RDP1 255.255.255.255 inside
asdm location RDP1 255.255.255.255 inside
asdm location Mail_Server 255.255.255.255 inside
asdm location VLAN_Switch 255.255.255.255 inside
asdm location VLAN102 255.255.255.0 inside
asdm location VLAN101 255.255.255.0 inside
asdm location VLAN50 255.255.255.0 inside
asdm location VLAN103 255.255.255.0 inside
asdm location Public_Mail 255.255.255.255 inside
no asdm history enable

 

Hi , NAT config looks okay . 

Hi ,

 NAT config looks okay . 

 The minute I added a static NAT for the mail server and allowed SMTP traffic inbound, the mail server (MS SBS) was no longer able to DNS lookups, which halted everyone from browsing . ?? 

 You mean to say after you did static nat to your mail server ?? it impacted users also from browsing ?? . It means Do your Mail server is also supports/running for DNS services  to your local network ?? 

 The Public IP Defined for your Mail server has got reach ability over public internet ?? . Has got appropriate routing on Service provider end/your end . 

I do see your have also RDP enabled for some one machine , do your RDP work from public IP address ??

 

kindly let me know on this 

 

HTH

Sandy

 

 

 

 

Community Member

Sandy, thanks for helping on

Sandy, thanks for helping on this by the way!!

To answer your question, the mail server is an SBS server acting as the primary domain controller, the local DNS server, and is running exchange .  It is configured for DNS forwarding.

 

So, when I add the static nat command and the access rule to allow smtp traffic back in, the server is no longer able to ping or do dns lookups.

Community Member

Oh, I rushed.  Just some

Oh, I rushed.  Just some background info: We are replacing an existing watchguard firewall that is using all of the same IP addressing inside and outside with all the same rules, yet for some reason, we are struggling getting the nat/acl to allow the SBS server to function.

 Hi Good you have identified

 

Hi

 Good you have identified both your watchguard & ASA is trying to use same IP address for you SBS sever .

 Ensure your rule is  set inactive in watchguard firewall before/after moving the traffic to cisco asa to avoid IP conflict . 

 

HTH
Sandy

 

Community Member

The watchguard isnt connected

The watchguard isnt connected when we are trying to use the ASA.

So, given the configuration, can you see any reason the Mail/SBS server cant ping or get dns responses?

 

I have tried packet tracer, but it is only one direction.  The problem I am having almost seems like the inspection for the server isn't working during outbound requests.

Community Member

Ok, we have figured something

Ok, we have figured something out, but not sure why it fixes it.  When we replace the watchguard to attempt to get the ASA working, we have to set a NAT address to temporarily be the actual interface address before it will receive any traffic.  It's almost as if the ASA MAC address isn't being associated with an outside address unless it is the interface address.

Hi It not about MAC adddress

Hi 

It not about MAC adddress it about proxy arp

  • Addresses on the same network as the mapped interface.

If you use addresses on the same network as the mapped interface, the ASA uses proxy ARP to answer any ARP requests for the mapped addresses, thus intercepting traffic destined for a mapped address. This solution simplifies routing because the ASA does not have to be the gateway for any additional networks. This solution is ideal if the outside network contains an adequate number of free addresses, a consideration if you are using a 1:1 translation like dynamic NAT or static NAT. Dynamic PAT greatly extends the number of translations you can use with a small number of addresses, so even if the available addresses on the outside network is small, this method can be used. For PAT, you can even use the IP address of the mapped interface.


Note If you configure the mapped interface to be any interface, and you specify a mapped address on the same network as one of the mapped interfaces, then if an ARP request for that mapped address comes in on a different interface, then you need to manually configure an ARP entry for that network on the ingress interface, specifying its MAC address (see the arp command). Typically, if you specify any interface for the mapped interface, then you use a unique network for the mapped addresses, so this situation would not occur.


 

  • Addresses on a unique network.

If you need more addresses than are available on the mapped interface network, you can identify addresses on a different subnet. The upstream router needs a static route for the mapped addresses that points to the ASA. Alternatively for routed mode, you can configure a static route on the ASA for the mapped addresses, and then redistribute the route using your routing protocol. For transparent mode, if the real host is directly-connected, configure the static route on the upstream router to point to the ASA: specify the bridge group IP address. For remote hosts in transparent mode, in the static route on the upstream router, you can alternatively specify the downstream router IP address.

 

Mapped Addresses and Routing

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_overview.html

 

HTH

Sandy

Community Member

Not sure how to mark this as

Not sure how to mark this as answered, but that was it.  I believe the carrier had a very long term ARP cache, because I temporarily swapped the nat'd public address over to the outside interface address and swapped it back after traffic was working.  From that point forward, the NAT setup is working just fine.

Thanks for leading me there!!

240
Views
0
Helpful
10
Replies
CreatePlease to create content