2

Cisco ASA 5510 I currently have a NAT for SMTP on one outside IP to an internal IP. I need to setup 2 external IPs to NAT to the same IP internally. How can I do that? ex: 10.10.10.1 25 --> 192.168.0.200 25 10.10.10.3 25 --> 192.168.0.200 25

Keith
  • 23
  • 1
  • 1
  • 3
  • 1
    What external IP do you want the internal one to respond with through the firewall? Are you needing PAT? Expound on what you are trying to accomplish (multiple ISPs, separating apps, etc.). – TheCleaner Dec 20 '12 at 19:24
  • Could you elaborate on why you want to do this? It would be easier to multi-home your SMTP server and create a 1-to-1 nat for each of its two addresses... – 1.618 Dec 20 '12 at 19:25
  • One outside IP currently points to spam filter and another IP points to Exchange. I want both IPs to point to spam filter. I just changed providers and firewalls. My old firewall allowed this function and wasn't changing the setup really, unless I have to. – Keith Dec 21 '12 at 03:49

4 Answers4

5

You won't be able to use static PAT for this as you would break the 1:1 mapping rule. Firewall has to know what mapping to use in both directions - both in->out and out->in. In your case if 192.168.0.200 originated connection from port 25 firewall would not know which global IP to use. In other words, it's not possible this way.

Easiest solution would be to assign additional IP address on the internal device and keep the NATs clean. Let's say you assign additional IP of 192.168.0.201. Configuration would be:

static (inside,outside) tcp 10.0.0.1 25 192.168.0.200 25
static (inside,outside) tcp 10.0.0.3 25 192.168.0.201 25
skrobul
  • 361
  • 3
  • 4
  • This worked for me. Straight forward and I should have thought of that too. ;) Thanks for your help. – Keith Dec 21 '12 at 14:36
1

With IOS 8.2 or bellow:

access-list SMTP-Services extended permit ip host 192.168.0.200 host 10.10.10.1
access-list SMTP-Services2 extended permit ip host 192.168.0.200 host 10.10.10.3

static (InternalInterface,ExternalInterface) 10.10.10.1 access-list SMTP-Services
static (InternalInterface,ExternalInterface) 10.10.10.3 access-list SMTP-Services2

Sorry, I had understood the exact opposite of what you wanted to do.

Don't forget to add an access-list on your External Interface.

access-list _outside-in_ extended permit tcp host 10.10.10.1 host _YourExternalIP_ eq smtp
access-list _outside-in_ extended permit tcp host 10.10.10.3 host _YourExternalIP_ eq smtp
Alex
  • 3,079
  • 20
  • 28
  • There are two things, one I made a slight mistake (see edit) you need two different access-lists. Also, I think you are mixing up the IPs. When you do a static you have to make it as if your local IP wanted to NAT going outside. Since it's a static NAT, when the external IP hits your ASA, it will translate it to the local IP. – Alex Dec 21 '12 at 04:07
  • It would also help to know what version of IOS you are running with a `show version` because between IOS 8.2 and IOS 8.3, NAT configuration has change a lot. – Alex Dec 21 '12 at 04:20
1

First you will need to upgrade to ASA post-8.3. Create and object network with the range of IPs for the public. Then create an object network for the inside/real IP address of the server. Then add a nat statement calling the first object.

!
object network outside_email
 range 10.10.10.1 10.10.10.2

!
!
object network inside_email
 host 192.168.0.200
 nat (inside,outside) static outside_email
Scott Pack
  • 14,717
  • 10
  • 51
  • 83
BillyC5022
  • 11
  • 2
0

There is this same quesiton on another Stack Exchange site here. This works because the protocol, source ip, destination ip and port are all part of the key for this 1:1 mapping. It's also a great technique for network resilience if BGP is out of grasp.

Community
  • 1
Nate Zaugg
  • 123
  • 5