ASA Policy NAT Question

Discussion in 'Cisco' started by K.J. 44, Sep 14, 2006.

  1. K.J. 44

    K.J. 44 Guest

    Hi,

    I would like to first say thanks to all who have helped me with my ASA.
    It has been my first time working with one and it has been interesting
    learning it. For those of you helping me before, I have no idea why it
    wouldn't let anything through. I simply removed everything, and put it
    all back in one at a time, testing each time. Now it is working.
    There must be something I am missing but when I look at my old configs
    and my new configs, they look almost identical. It doesn't matter
    because it is working....

    Now my current issue is this. I am trying to configure static policy
    nat to check an ACL to see if the information is coming from or
    destined to my server on port 25 so that mail traffic has a different
    public ip then everything else. My current PAT for everything else is
    working fine. Here is my acl and nat statement:

    access-list policy_PAT_SMTP permit tcp host 192.168.1.4 any eq 25
    access-list policy_PAT_SMTP permit tcp host 192.168.1.4 eq 25 any

    static (inside,outside) PUBLIC.IP.2 access-list policy_PAT_SMTP

    Here is my normal PAT which works fine: (from sh nat command)

    match ip inside 192.168.0.0 255.255.0.0 outside any dynamic translation
    to pool 2 (PUBLIC.IP.1)

    There are no hits on the policy NAT. Does anybody see anything
    glaringly wrong? I have been trying to telnet in on port 25 to test my
    mail servers connectivity.

    Thanks.
    K.J. 44, Sep 14, 2006
    #1
    1. Advertising

  2. K.J. 44

    K.J. 44 Guest

    When my server sends mail, it is getting translated with the PAT
    instead of the policy NAT. THis is not good. Mail is going through
    but mail will not be able to come in like this.

    There has to be something wrong with the ACL.

    access-list policy_PAT_SMTP permit tcp host 192.168.1.4 any eq 25
    -- A match if the source address is the server and destination address
    is anything using port 25

    access-list policy_PAT_SMTP permit tcp host 192.168.1.4 eq 25 any
    -- A match if the source is the server on port 25 to anywhere

    Now, with the policy NAT, the reverse is true right? So the second
    rule can be read also as "A match if the source is anywhere and the
    destination is the server on port 25. "

    Would I need to create a second Policy NAT that had something like:

    access-list policy_outside_SMTP permit tcp any host PUBLIC.IP eq 25
    static (outside,inside) PRIVATE.IP access-list policy_outside_SMTP

    thanks.
    K.J. 44 wrote:
    > Hi,
    >
    > I would like to first say thanks to all who have helped me with my ASA.
    > It has been my first time working with one and it has been interesting
    > learning it. For those of you helping me before, I have no idea why it
    > wouldn't let anything through. I simply removed everything, and put it
    > all back in one at a time, testing each time. Now it is working.
    > There must be something I am missing but when I look at my old configs
    > and my new configs, they look almost identical. It doesn't matter
    > because it is working....
    >
    > Now my current issue is this. I am trying to configure static policy
    > nat to check an ACL to see if the information is coming from or
    > destined to my server on port 25 so that mail traffic has a different
    > public ip then everything else. My current PAT for everything else is
    > working fine. Here is my acl and nat statement:
    >
    > access-list policy_PAT_SMTP permit tcp host 192.168.1.4 any eq 25
    > access-list policy_PAT_SMTP permit tcp host 192.168.1.4 eq 25 any
    >
    > static (inside,outside) PUBLIC.IP.2 access-list policy_PAT_SMTP
    >
    > Here is my normal PAT which works fine: (from sh nat command)
    >
    > match ip inside 192.168.0.0 255.255.0.0 outside any dynamic translation
    > to pool 2 (PUBLIC.IP.1)
    >
    > There are no hits on the policy NAT. Does anybody see anything
    > glaringly wrong? I have been trying to telnet in on port 25 to test my
    > mail servers connectivity.
    >
    > Thanks.
    K.J. 44, Sep 14, 2006
    #2
    1. Advertising

  3. K.J. 44

    K.J. 44 Guest

    okay well i cant even do the last command so someone please shed some
    light for me.

    Thanks.

    K.J. 44 wrote:
    > When my server sends mail, it is getting translated with the PAT
    > instead of the policy NAT. THis is not good. Mail is going through
    > but mail will not be able to come in like this.
    >
    > There has to be something wrong with the ACL.
    >
    > access-list policy_PAT_SMTP permit tcp host 192.168.1.4 any eq 25
    > -- A match if the source address is the server and destination address
    > is anything using port 25
    >
    > access-list policy_PAT_SMTP permit tcp host 192.168.1.4 eq 25 any
    > -- A match if the source is the server on port 25 to anywhere
    >
    > Now, with the policy NAT, the reverse is true right? So the second
    > rule can be read also as "A match if the source is anywhere and the
    > destination is the server on port 25. "
    >
    > Would I need to create a second Policy NAT that had something like:
    >
    > access-list policy_outside_SMTP permit tcp any host PUBLIC.IP eq 25
    > static (outside,inside) PRIVATE.IP access-list policy_outside_SMTP
    >
    > thanks.
    > K.J. 44 wrote:
    > > Hi,
    > >
    > > I would like to first say thanks to all who have helped me with my ASA.
    > > It has been my first time working with one and it has been interesting
    > > learning it. For those of you helping me before, I have no idea why it
    > > wouldn't let anything through. I simply removed everything, and put it
    > > all back in one at a time, testing each time. Now it is working.
    > > There must be something I am missing but when I look at my old configs
    > > and my new configs, they look almost identical. It doesn't matter
    > > because it is working....
    > >
    > > Now my current issue is this. I am trying to configure static policy
    > > nat to check an ACL to see if the information is coming from or
    > > destined to my server on port 25 so that mail traffic has a different
    > > public ip then everything else. My current PAT for everything else is
    > > working fine. Here is my acl and nat statement:
    > >
    > > access-list policy_PAT_SMTP permit tcp host 192.168.1.4 any eq 25
    > > access-list policy_PAT_SMTP permit tcp host 192.168.1.4 eq 25 any
    > >
    > > static (inside,outside) PUBLIC.IP.2 access-list policy_PAT_SMTP
    > >
    > > Here is my normal PAT which works fine: (from sh nat command)
    > >
    > > match ip inside 192.168.0.0 255.255.0.0 outside any dynamic translation
    > > to pool 2 (PUBLIC.IP.1)
    > >
    > > There are no hits on the policy NAT. Does anybody see anything
    > > glaringly wrong? I have been trying to telnet in on port 25 to test my
    > > mail servers connectivity.
    > >
    > > Thanks.
    K.J. 44, Sep 14, 2006
    #3
  4. K.J. 44

    K.J. 44 Guest

    Okay, my last post before I wait for a response (I feel like I am
    talking to myself :) )

    What i want is to have JUST SMTP traffic from the server translated to
    the PUBLIC IP #2. All other traffic from everyone translated to PUBLIC
    IP #1. I thought I could do that with policy NAT.

    Thanks in advance.
    K.J. 44 wrote:
    > okay well i cant even do the last command so someone please shed some
    > light for me.
    >
    > Thanks.
    >
    > K.J. 44 wrote:
    > > When my server sends mail, it is getting translated with the PAT
    > > instead of the policy NAT. THis is not good. Mail is going through
    > > but mail will not be able to come in like this.
    > >
    > > There has to be something wrong with the ACL.
    > >
    > > access-list policy_PAT_SMTP permit tcp host 192.168.1.4 any eq 25
    > > -- A match if the source address is the server and destination address
    > > is anything using port 25
    > >
    > > access-list policy_PAT_SMTP permit tcp host 192.168.1.4 eq 25 any
    > > -- A match if the source is the server on port 25 to anywhere
    > >
    > > Now, with the policy NAT, the reverse is true right? So the second
    > > rule can be read also as "A match if the source is anywhere and the
    > > destination is the server on port 25. "
    > >
    > > Would I need to create a second Policy NAT that had something like:
    > >
    > > access-list policy_outside_SMTP permit tcp any host PUBLIC.IP eq 25
    > > static (outside,inside) PRIVATE.IP access-list policy_outside_SMTP
    > >
    > > thanks.
    > > K.J. 44 wrote:
    > > > Hi,
    > > >
    > > > I would like to first say thanks to all who have helped me with my ASA.
    > > > It has been my first time working with one and it has been interesting
    > > > learning it. For those of you helping me before, I have no idea why it
    > > > wouldn't let anything through. I simply removed everything, and put it
    > > > all back in one at a time, testing each time. Now it is working.
    > > > There must be something I am missing but when I look at my old configs
    > > > and my new configs, they look almost identical. It doesn't matter
    > > > because it is working....
    > > >
    > > > Now my current issue is this. I am trying to configure static policy
    > > > nat to check an ACL to see if the information is coming from or
    > > > destined to my server on port 25 so that mail traffic has a different
    > > > public ip then everything else. My current PAT for everything else is
    > > > working fine. Here is my acl and nat statement:
    > > >
    > > > access-list policy_PAT_SMTP permit tcp host 192.168.1.4 any eq 25
    > > > access-list policy_PAT_SMTP permit tcp host 192.168.1.4 eq 25 any
    > > >
    > > > static (inside,outside) PUBLIC.IP.2 access-list policy_PAT_SMTP
    > > >
    > > > Here is my normal PAT which works fine: (from sh nat command)
    > > >
    > > > match ip inside 192.168.0.0 255.255.0.0 outside any dynamic translation
    > > > to pool 2 (PUBLIC.IP.1)
    > > >
    > > > There are no hits on the policy NAT. Does anybody see anything
    > > > glaringly wrong? I have been trying to telnet in on port 25 to test my
    > > > mail servers connectivity.
    > > >
    > > > Thanks.
    K.J. 44, Sep 14, 2006
    #4
  5. K.J. 44

    englishoaks Guest

    I've done something like this with Pix6.3, might help you...?
    I needed to policy nat traffic to a certain destination (down a vpn as
    it happens).... so I did it like this...
    translating to 192.168.228.0, and then setting my vpn trigger acl to
    pickup the 228.0 traffic, as opposed to the 1.0 traffic which was
    nat'ed like normal

    access-list policynat permit ip 192.168.1.0 255.255.255.0 host x.x.x.x
    static (inside,outside) 192.168.228.0 access-list policynat 0 0

    let me know how you go?

    Matt




    K.J. 44 wrote:
    > Okay, my last post before I wait for a response (I feel like I am
    > talking to myself :) )
    >
    > What i want is to have JUST SMTP traffic from the server translated to
    > the PUBLIC IP #2. All other traffic from everyone translated to PUBLIC
    > IP #1. I thought I could do that with policy NAT.
    >
    > Thanks in advance.
    englishoaks, Sep 15, 2006
    #5
  6. K.J. 44

    K.J. 44 Guest

    I was hoping to just translate with this policy the info on port 25 but
    I could not get it to work so I just put in a static translation for
    anything from that server and only allowed certain traffic through to
    the public IP. It is working fine.

    THanks for your input.

    englishoaks wrote:
    > I've done something like this with Pix6.3, might help you...?
    > I needed to policy nat traffic to a certain destination (down a vpn as
    > it happens).... so I did it like this...
    > translating to 192.168.228.0, and then setting my vpn trigger acl to
    > pickup the 228.0 traffic, as opposed to the 1.0 traffic which was
    > nat'ed like normal
    >
    > access-list policynat permit ip 192.168.1.0 255.255.255.0 host x.x.x.x
    > static (inside,outside) 192.168.228.0 access-list policynat 0 0
    >
    > let me know how you go?
    >
    > Matt
    >
    >
    >
    >
    > K.J. 44 wrote:
    > > Okay, my last post before I wait for a response (I feel like I am
    > > talking to myself :) )
    > >
    > > What i want is to have JUST SMTP traffic from the server translated to
    > > the PUBLIC IP #2. All other traffic from everyone translated to PUBLIC
    > > IP #1. I thought I could do that with policy NAT.
    > >
    > > Thanks in advance.
    K.J. 44, Sep 15, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Oleg Tipisov

    PIX Policy NAT: order of NAT commands

    Oleg Tipisov, Aug 12, 2004, in forum: Cisco
    Replies:
    4
    Views:
    8,708
    Walter Roberson
    Aug 13, 2004
  2. Tyler Cobb
    Replies:
    6
    Views:
    18,521
    Tyler Cobb
    Oct 19, 2005
  3. wtpandar

    policy nat and static NAt

    wtpandar, Sep 12, 2006, in forum: Cisco
    Replies:
    0
    Views:
    713
    wtpandar
    Sep 12, 2006
  4. K.J. 44
    Replies:
    1
    Views:
    2,103
    K.J. 44
    Sep 14, 2006
  5. Tyler Cobb
    Replies:
    1
    Views:
    697
    dawnad
    Oct 9, 2005
Loading...

Share This Page