Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

ASA Policy NAT Question

2 views
Skip to first unread message

K.J. 44

unread,
Sep 14, 2006, 9:12:51 AM9/14/06
to
Hi,

I would like to first say thanks to all who have helped me with my ASA.
It has been my first time working with one and it has been interesting
learning it. For those of you helping me before, I have no idea why it
wouldn't let anything through. I simply removed everything, and put it
all back in one at a time, testing each time. Now it is working.
There must be something I am missing but when I look at my old configs
and my new configs, they look almost identical. It doesn't matter
because it is working....

Now my current issue is this. I am trying to configure static policy
nat to check an ACL to see if the information is coming from or
destined to my server on port 25 so that mail traffic has a different
public ip then everything else. My current PAT for everything else is
working fine. Here is my acl and nat statement:

access-list policy_PAT_SMTP permit tcp host 192.168.1.4 any eq 25
access-list policy_PAT_SMTP permit tcp host 192.168.1.4 eq 25 any

static (inside,outside) PUBLIC.IP.2 access-list policy_PAT_SMTP

Here is my normal PAT which works fine: (from sh nat command)

match ip inside 192.168.0.0 255.255.0.0 outside any dynamic translation
to pool 2 (PUBLIC.IP.1)

There are no hits on the policy NAT. Does anybody see anything
glaringly wrong? I have been trying to telnet in on port 25 to test my
mail servers connectivity.

Thanks.

K.J. 44

unread,
Sep 14, 2006, 10:49:22 AM9/14/06
to
When my server sends mail, it is getting translated with the PAT
instead of the policy NAT. THis is not good. Mail is going through
but mail will not be able to come in like this.

There has to be something wrong with the ACL.

access-list policy_PAT_SMTP permit tcp host 192.168.1.4 any eq 25

-- A match if the source address is the server and destination address
is anything using port 25

access-list policy_PAT_SMTP permit tcp host 192.168.1.4 eq 25 any

-- A match if the source is the server on port 25 to anywhere

Now, with the policy NAT, the reverse is true right? So the second
rule can be read also as "A match if the source is anywhere and the
destination is the server on port 25. "

Would I need to create a second Policy NAT that had something like:

access-list policy_outside_SMTP permit tcp any host PUBLIC.IP eq 25
static (outside,inside) PRIVATE.IP access-list policy_outside_SMTP

thanks.

K.J. 44

unread,
Sep 14, 2006, 10:55:07 AM9/14/06
to
okay well i cant even do the last command so someone please shed some
light for me.

Thanks.

K.J. 44

unread,
Sep 14, 2006, 11:30:05 AM9/14/06
to
Okay, my last post before I wait for a response (I feel like I am
talking to myself :) )

What i want is to have JUST SMTP traffic from the server translated to
the PUBLIC IP #2. All other traffic from everyone translated to PUBLIC
IP #1. I thought I could do that with policy NAT.

Thanks in advance.

englishoaks

unread,
Sep 15, 2006, 4:32:58 AM9/15/06
to
I've done something like this with Pix6.3, might help you...?
I needed to policy nat traffic to a certain destination (down a vpn as
it happens).... so I did it like this...
translating to 192.168.228.0, and then setting my vpn trigger acl to
pickup the 228.0 traffic, as opposed to the 1.0 traffic which was
nat'ed like normal

access-list policynat permit ip 192.168.1.0 255.255.255.0 host x.x.x.x
static (inside,outside) 192.168.228.0 access-list policynat 0 0

let me know how you go?

Matt

K.J. 44

unread,
Sep 15, 2006, 11:08:23 AM9/15/06
to
I was hoping to just translate with this policy the info on port 25 but
I could not get it to work so I just put in a static translation for
anything from that server and only allowed certain traffic through to
the public IP. It is working fine.

THanks for your input.

0 new messages