simple PAT question

If I have a host on an internal network listening on a port such as 25 SMTP, on the ASA can I translate a different port such as 225 to 25 while at the same time allowing port 25 to the host to pass through unchanged and actually receive the return traffic for the external hosts connecting on port 25?

 

It seems to me like the problem is with the return traffic from the server which is always translated to 225 when I enter a rule such as the following.

static (inside,outside) tcp 10.0.1.43 225 10.0.1.43 smtp netmask 255.255.255.255

 

If anyone can advise I'd appreciate it.

thanks

Chris

Comments

  • I am not getting your question. Can you please elloborate.

     

    static (inside,outside) tcp 10.0.1.43 225 10.0.1.43 smtp netmask 255.255.255.255

    With the above given rule, the following happens:

     

    Any traffic from inside with source IP address 10.0.1.43 and source port 25 will be translated to IP address 10.0.1.43 and source port 255

    Any traffic from outside with source IP address 10.0.1.43 and source port 225 will be translated to IP address 10.0.1.43 and source port 25

     

    With this rule, traffic from server 10.0.1.43 port 25 will always be translated to 225 when going outside, irrespective of whether it an initiated or return traffic.

     

    With regards

    Kings

  • Hi Kingsley,

     

    Yes thats the problem really, with this rule in place any traffic from the server on source port 25 will be translated to port 225 the connection initiator is irrelevant. My question is whether there is a different syntax for NAT on the ASA to allow it to track incoming connections on port 225 as they are PAT'd to 25 and then ONLY translate the return server SMTP traffic to 225 for those connections which were originally translated, leaving all other SMTP traffic unchanged?

    Hope this makes sense?

     

    My guess is that this isn;t possible without using a different port on the server?

     

    many thanks

    Chris 

     

  • I am not sure Chris.

    Unless there is an option for policy based static redirection rule, I think we can't do it.

    Let's wait for other's input.

     

    With regards

    Kings

  • Chris

    Let Me see first Do i understand your question here.

    1. You have a Mail server inside and traffic generated on port 25 must not be translated when it is sent outside

    2. For traffic generated from Outside on mapped port no 225 it should be inspected as SMTP.

    3. It should also be translated to port no 25 (So much for A simple Pat question [;)]

    Here is my wild guess

    A.You can created a nat exemption rule for condition 1.

       MPF for 2.(plus the neccessary ACL for permitting traffic on 225 at outside)

       Static for 3

    Since Nat exemption is highest in the order it should kick in first.

     

    King excellent description of static translation I bet many candidates struggle with Static nat functioning. You have been a gem of a poster Best of luck for your exam mate.

     

    cheers

    Chandan Sharma

    CCIE#19701(R&S,Security)

     

     

     

     

     

     

     

     

     

     

  • Hi,

     

    Yes your correct. I'll give it a try from what you've said..

     

    thanks

    Chris

  • This will work ONLY if the source traffic looking for the server can be differentiated (in other words: Diferent source IP addresses looking for the server):

     

    Example:

    If traffic from network A, wants to reach the server public ip add:10.0.1.43 on port 225, you would need an ACL like:

    access-list <name1> permit tcp host 10.0.1.43 eq 25 <Network A> <NetMask A>

    then the static policy:

    static (i,o) tcp 10.0.1.43 225 access-list <name1>

     

    and the rest of the traffic looking for the server won't be translated. If you have nat-control enabled, you will need another static policy entry:

    access-list <name2> permit tcp host 10.0.1.43 eq 25 any

    static (i,o) tcp 10.0.1.43 25 access-list <name2>

     

    You will HAVE TO enter the static policies in that order:

    1) static (i,o) tcp 10.0.1.43 225 access-list <name1>

    2) static (i,o) tcp 10.0.1.43 25 access-list <name2>

     

    If the source traffic looking for the server cannot be diferentiated, then there is no solution, and the reason is: Bad Design.

     

    Hope this helps.

     

    Adrian

  • Hi actually its not really bad design as it was never designed to act like this. This is a new requirement which obviously can't be done with the ASA.

     

    To reiterate an SMTP mail server must listen and send on port 25, if some SOHO customers cannot send mail to our server on this port due to their ISP blocking it, it leaves us in this situation.

     

    I could perhaps implement this on a per customer basis if they use static IPs from the ISP with static policies like you said, if not then it seems like its not possible.

     

    Thanks for the input

     

    Chris

Sign In or Register to comment.