NAT Rules ASA 5510 8.3

Hey Guys,

 

I am using the ASA 5510 version 8.3 and I am trying to set up a NAT rules, but I am not a expert with ASA....so I will post my doubt here.

My customer wants to map the external ip address (eg: 99.99.99.99) to an internal mail server ip address (eg: 172.16.1.1).

Just to get email into the mailserver from outside.

 

I have created the object group to match the mail server and created access-list to allow just the smtp traffic, but i dont know how to set up the nat configurations.

Can you help me ?

 

My configurations untill now:

object network Mailserver 

 host 172.16.1.1

 

access-list OUTSIDEMAILSERVER-IN extended permit tcp any object
Mailserver eq smtp

access-list OUTSIDEMAILSERVER-IN  extended permit tcp any
eq smtp object Mailserver

 

 Apply the acl on outside interface

 

access-group OUTSIDEMAILSERVER-IN in interface outside 

 

Now, I guess that I need a nat configuration, but i dont know how to set up and the better way to set up it.

 

 

 

Thx.

Comments

  • Hi,

    You got two options here. You can map all the traffic with the following NAT config:

     

    object network Mailserver

     host 172.16.1.1

     nat (INSIDE,OUTSIDE) static 99.99.99.99

     

    Or you can NAT just SMTP traffic on port 25:

     

    object network Mailserver

     host 172.16.1.1

     nat (INSIDE,OUTSIDE) static 99.99.99.99 service tcp 25 25 

     

    HTH

    Good luck!

     

  • Hi,

     

    When I did that, not commands appear for me:

     

    object network Mailserver

     host 172.16.1.1

     nat (INSIDE,OUTSIDE) source....

     

     

  • Hi,

     

    When I did that, not commands appear for me:

     

    object network Mailserver

     host 172.16.1.1

     nat (INSIDE,OUTSIDE) source....

    Sorry, I did not understand. No commands appeared when you used the context sensitive help (?) or when you did a show run nothing appeared?

    Can you do a ? after nat (INSIDE,OUTSIDE) ? and post me the output?

     

    Thank you!

     

     

  • Hi,

    Sorry,

     

    there is a overlap between my interfaces:

     

    AthloneASA(config-network-object)# nat (inside_new,outside) static 99.99.99.99

    ERROR: Address 99.99.99.99 overlaps with Outside interface address.

    ERROR: NAT Policy is not downloaded

     

    AthloneASA(config-network-object)#

  • That's because you have 99.99.99.99 configured on your OUTSIDE interface, so it won't work with the IP, you have to use the interface keyword instead, as follows:

    object network Mailserver

     nat (INSIDE,OUTSIDE) static interface

    object network Mailserver

     nat (INSIDE,OUTSIDE) static interface service 25 25 

     

    HTH

    Good luck!

  • Hi,

     

    The command works fine, thanks a lot.

    But, the problem is not fixed, I can reach the mailserver from outside to inside, I dont know why.

    I did a packet tracer and look that :

     

     

    Phase: 1

    Type: CAPTURE

    Subtype:

    Result: ALLOW

    Config:

    Additional Information:

     Forward Flow based lookup yields rule:

     in  id=0xad2d1ef0, priority=13, domain=capture, deny=false

            hits=3864828, user_data=0xad89f8b0, cs_id=0x0, l3_type=0x0

            src mac=0000.0000.0000, mask=0000.0000.0000

            dst mac=0000.0000.0000, mask=0000.0000.0000

            input_ifc=Outside, output_ifc=any

     

    Phase: 2

    Type: ACCESS-LIST

    Subtype:

    Result: ALLOW

    Config:

    Implicit Rule

    Additional Information:

     Forward Flow based lookup yields rule:

     in  id=0xacbfc110, priority=1, domain=permit, deny=false

            hits=175567957, user_data=0x0, cs_id=0x0, l3_type=0x8

            src mac=0000.0000.0000, mask=0000.0000.0000

            dst mac=0000.0000.0000, mask=0100.0000.0000

            input_ifc=Outside, output_ifc=any

     

    Phase: 3

    Type: ROUTE-LOOKUP

    Subtype: input

    Result: ALLOW

    Config:

    Additional Information:

    in   192.168.150.0   255.255.255.0   Inside_New

     

    Phase: 4

    Type: ACCESS-LIST

    Subtype:

    Result: DROP

    Config:

    Implicit Rule

    Additional Information:

     Forward Flow based lookup yields rule:

     in  id=0xacc01908, priority=500, domain=permit, deny=true

            hits=0, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0

            src ip/id=99.99.99.99, mask=255.255.255.255, port=0

            dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

            input_ifc=Outside, output_ifc=any

     

    Result:

    input-interface: Outside

    input-status: up

    input-line-status: up

    output-interface: Inside_New

    output-status: up

    output-line-status: up

    Action: drop

    Drop-reason: (acl-drop) Flow is denied by configured rule

     

    when I changed the dns record to another ip address not the same that my outside ip address, it worked.

    Anyway...

    thanks you help me a lot with the config.

  • Usually you will use a different IP Address other than your interface's IP address, that's better and recommended.

    As per your capture output, I can see that the connection failed due to your ACL. 

    How does your ACL look like?

    Glad to help

    Good luck!

  • Hi,

     

    that was implicit rule:

     

    Phase: 4

    Type: ACCESS-LIST

    Subtype:

    Result: DROP

    Config:

    Implicit Rule

  • Could you post for me the packet tracer command that you are executing?

    Thank you!

Sign In or Register to comment.