1. Home
  2. Cisco Systems
  3. ASA Policy NAT Question

ASA Policy NAT Question

Hi,

I would like to first say thanks to all who have helped me with my ASA. It has been my first time working with one and it has been interesting learning it. For those of you helping me before, I have no idea why it wouldn't let anything through. I simply removed everything, and put it all back in one at a time, testing each time. Now it is working. There must be something I am missing but when I look at my old configs and my new configs, they look almost identical. It doesn't matter because it is working....

Now my current issue is this. I am trying to configure static policy nat to check an ACL to see if the information is coming from or destined to my server on port 25 so that mail traffic has a different public ip then everything else. My current PAT for everything else is working fine. Here is my acl and nat statement:

access-list policy_PAT_SMTP permit tcp host 192.168.1.4 any eq 25 access-list policy_PAT_SMTP permit tcp host 192.168.1.4 eq 25 any

static (inside,outside) PUBLIC.IP.2 access-list policy_PAT_SMTP

Here is my normal PAT which works fine: (from sh nat command)

match ip inside 192.168.0.0 255.255.0.0 outside any dynamic translation to pool 2 (PUBLIC.IP.1)

There are no hits on the policy NAT. Does anybody see anything glaringly wrong? I have been trying to telnet in on port 25 to test my mail servers connectivity.

Thanks.

Reply to
K.J. 44
Loading thread data ...

When my server sends mail, it is getting translated with the PAT instead of the policy NAT. THis is not good. Mail is going through but mail will not be able to come in like this.

There has to be something wrong with the ACL.

access-list policy_PAT_SMTP permit tcp host 192.168.1.4 any eq 25

-- A match if the source address is the server and destination address is anything using port 25

access-list policy_PAT_SMTP permit tcp host 192.168.1.4 eq 25 any

-- A match if the source is the server on port 25 to anywhere

Now, with the policy NAT, the reverse is true right? So the second rule can be read also as "A match if the source is anywhere and the destination is the server on port 25. "

Would I need to create a second Policy NAT that had something like:

access-list policy_outside_SMTP permit tcp any host PUBLIC.IP eq 25 static (outside,> Hi,

Reply to
K.J. 44

okay well i cant even do the last command so someone please shed some light for me.

Thanks.

K.J. 44 wrote:

Reply to
K.J. 44

Okay, my last post before I wait for a response (I feel like I am talking to myself :) )

What i want is to have JUST SMTP traffic from the server translated to the PUBLIC IP #2. All other traffic from every> okay well i cant even do the last command so someone please shed some > light for me.

Reply to
K.J. 44

I've done something like this with Pix6.3, might help you...? I needed to policy nat traffic to a certain destination (down a vpn as it happens).... so I did it like this... translating to 192.168.228.0, and then setting my vpn trigger acl to pickup the 228.0 traffic, as opposed to the 1.0 traffic which was nat'ed like normal

access-list policynat permit ip 192.168.1.0 255.255.255.0 host x.x.x.x static (inside,outside) 192.168.228.0 access-list policynat 0 0

let me know how you go?

Matt

K.J. 44 wrote:

Reply to
englishoaks

I was hoping to just translate with this policy the info on port 25 but I could not get it to work so I just put in a static translation for anything from that server and only allowed certain traffic through to the public IP. It is working fine.

THanks for your > I've done something like this with Pix6.3, might help you...?

Reply to
K.J. 44

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.