asked on
ASA NAT (exchange server)
Hello Experts,
I will be going to our remote office this weekend to complete several projects and I need help with one of them.
I will be physically moving an exchange server from our current remote office location to the new remote location a few miles from there.
Once i have it racked and connected to the network, I will need to do some firewall configuration. I do not have much experience with the ASA firewalls and need help. Please include as much details as possible.
Internal IP: 192.168.1.100 (new internal exchange IP)
External IP: 64.x.x.x (new external exchange IP)
ASA Version: 9.0
What changes do i need to make on the ASA firewall or properly translate it (NAT) and allow email flow (port, ACL). Currently, there is no DMZ. That will be coming in a few months from now. Currently, there is only internal and external interface on the firewall.
Question #2 - Is it possible to use the same external IP address for two services if they are using different ports? If i assigned the same external IP address to our exchange server that our web server uses (port 80), would that be ok? Or each service requires the unique external IP address?
Thank you very much,
Zeke
I will be going to our remote office this weekend to complete several projects and I need help with one of them.
I will be physically moving an exchange server from our current remote office location to the new remote location a few miles from there.
Once i have it racked and connected to the network, I will need to do some firewall configuration. I do not have much experience with the ASA firewalls and need help. Please include as much details as possible.
Internal IP: 192.168.1.100 (new internal exchange IP)
External IP: 64.x.x.x (new external exchange IP)
ASA Version: 9.0
What changes do i need to make on the ASA firewall or properly translate it (NAT) and allow email flow (port, ACL). Currently, there is no DMZ. That will be coming in a few months from now. Currently, there is only internal and external interface on the firewall.
Question #2 - Is it possible to use the same external IP address for two services if they are using different ports? If i assigned the same external IP address to our exchange server that our web server uses (port 80), would that be ok? Or each service requires the unique external IP address?
Thank you very much,
Zeke
CiscoNetworkingExchange
Last Comment
Zeke2016
Please be aware to run exchange through your ASA check you are NOT doing ESMTP inspection!
show run | incl esmtp
above command will tell you, if it returns nothing you are ok, if it says inspect esmtp then you need to disable it!
Cisco ASA Disable ESMTP Inspection
Also if you are receiving mail on the Exchange server make sure your public MX records are shifted over (or there's a new one with a lower preference for the new IP)
Setting up the Correct DNS Records for your Web or Mail Server
Pete
show run | incl esmtp
above command will tell you, if it returns nothing you are ok, if it says inspect esmtp then you need to disable it!
Cisco ASA Disable ESMTP Inspection
Also if you are receiving mail on the Exchange server make sure your public MX records are shifted over (or there's a new one with a lower preference for the new IP)
Setting up the Correct DNS Records for your Web or Mail Server
Pete
ASKER
Please see my answers below...
Yes, there are separate ASA on each site. Each location has its own internet connection.
Correct. I will use different IP, but just wanted to make sure that the new IP can be used with the email server since its already used for the web server. Thanks for clarifying that it is possible.
The ASA is already there and functioning properly. All i have to do is make sure proper translation is performed on the ASA firewall for the exchange server.
Currently there is no DMZ.
Setup: Exchange Server > Switch > internal interface -ASA - external interface
If you need any additional information, please let me know.
Please provide the configuration with Port Forwarding option if possible that you mentioned above.
Thank you Ffleisma and thank you Pete.
Zeke
Yes, there are separate ASA on each site. Each location has its own internet connection.
Correct. I will use different IP, but just wanted to make sure that the new IP can be used with the email server since its already used for the web server. Thanks for clarifying that it is possible.
The ASA is already there and functioning properly. All i have to do is make sure proper translation is performed on the ASA firewall for the exchange server.
Currently there is no DMZ.
Setup: Exchange Server > Switch > internal interface -ASA - external interface
If you need any additional information, please let me know.
Please provide the configuration with Port Forwarding option if possible that you mentioned above.
Thank you Ffleisma and thank you Pete.
Zeke
Here is a configuration example of port forwarding:
You can do the following as well to port forward to same port
Hope this helps, let me know if you have further questions and I'll be glad to help you out.
outside (any source) --> 64.1.1.1:80 (firewall outside interface port 80) --> Un-NAT 192.168.1.200:19 (chargen - tcp/19)
outside (any source) --> 64.1.1.1:3389 (firewall outside interface port 3389) --> Un-NAT 192.168.1.100:19 (chargen - tcp/19)
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 64.1.1.1 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
!
object network obj_192.168.1.100
host 192.168.1.100
!
object network obj_192.168.1.200
host 192.168.1.200
!
!
object service obj_tcpsmallserver
service tcp destination eq chargen
!
object service portforward_to_192.168.1.100
service tcp destination eq 3389
!
object service portforward_to_192.168.1.200
service tcp destination eq www
!
object network obj_64.1.1.1
host 64.1.1.1
!
object network obj_192.168.1.0-24
subnet 192.168.1.0 255.255.255.0
!
!
nat (outside,inside) 1 source static any any destination static interface obj_192.168.1.200 service portforward_to_192.168.1.200 obj_tcpsmallserver unidirectional
nat (outside,inside) 2 source static any any destination static interface obj_192.168.1.100 service portforward_to_192.168.1.100 obj_tcpsmallserver unidirectional
nat (inside,outside) 3 source dynamic obj_192.168.1.0-24 interface
!
!
access-list outside_access_in extended permit icmp any object obj_192.168.1.0-24 echo-reply
access-list outside_access_in extended permit tcp any object obj_192.168.1.200 eq chargen
access-list outside_access_in extended permit tcp any object obj_192.168.1.100 eq chargen
!
access-list inside_access_in extended permit icmp object obj_192.168.1.0-24 any echo
access-list inside_access_in extended permit ip object obj_192.168.1.0-24 any
!
!
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
!
Lines 1-10, are interface configuration
Lines 13-33, are object configuration which are referenced in the NAT and ACL configuration. You may choose your own naming convention. NAT configuration will only take object/object-groups when defining source/destination
Line 36, is the port forwarding configuration for 64.1.1.1:80-->192.168.1.20
Line 37, is the port forwarding configuration for 64.1.1.1:3389-->192.168.1.
Line 38, is the PAT configuration for internal hosts (192.168.1.0/24) accessing outside (internet) are NAT/PAT to outside interface (64.1.1.1). You might have some other devices (hosts/servers) inside that requires access to internet. This NAT configuration may already be existing in your configuration.
Take note of the order of the NAT from 1-3, the port forwarding NAT configuration comes in front of the PAT configuration. If you have an existing PAT configuration, make sure that the port forwarding configuration you will place should be in front of it.
Line 41, just and ACL permitting icmp/echo-reply, used to allow reply to ping.
Line 42, is the ACL that permits outside traffic (any) to 192.168.1.200 via tcp/19. NAT is done first in the order of operation on ASA 8.3 above which translates 64.1.1.1:80-->192.168.1.20
Line 43, is the ACL that permits outside traffic (any) to 192.168.1.100 via tcp/19. NAT is done first in the order of operation on ASA 8.3 above which translates 64.1.1.1:3389-->192.168.1.
You can do the following as well to port forward to same port
!
object service portforward_to_192.168.1.100
service tcp destination eq xxx
!
object service portforward_to_192.168.1.200
service tcp destination eq yyy
!
nat (outside,inside) 1 source static any any destination static interface obj_192.168.1.200 service portforward_to_192.168.1.200 portforward_to_192.168.1.200 unidirectional
nat (outside,inside) 2 source static any any destination static interface obj_192.168.1.100 service portforward_to_192.168.1.100 portforward_to_192.168.1.100 unidirectional
!
access-list outside_access_in extended permit tcp any object obj_192.168.1.200 eq xxx
access-list outside_access_in extended permit tcp any object obj_192.168.1.100 eq yyy
Hope this helps, let me know if you have further questions and I'll be glad to help you out.
ASKER
Thanks, Ffleisma.
What would be the exact commands I would have to use to get this done on the ASA...I will be there on my own this weekend and would not want to make a mistake and not have the users being able to use their email. I am sorry for so many qustions.
Exchange Server Internal IP: 192.168.1.100
To be translated to the outside IP 64.x.x.5 Port 25 (port forwarding)
What would the ACL look like? Do i need to create a group? I always get confused with that...and then applying it. I dont want to override existing ACL's or groups.
If you could give me the exact commands based on above information, that would help me so much.
Thank you,
Zeke
What would be the exact commands I would have to use to get this done on the ASA...I will be there on my own this weekend and would not want to make a mistake and not have the users being able to use their email. I am sorry for so many qustions.
Exchange Server Internal IP: 192.168.1.100
To be translated to the outside IP 64.x.x.5 Port 25 (port forwarding)
What would the ACL look like? Do i need to create a group? I always get confused with that...and then applying it. I dont want to override existing ACL's or groups.
If you could give me the exact commands based on above information, that would help me so much.
Thank you,
Zeke
object service PORTFORWARD_TO_192.168.1.100
service tcp destination eq 25
!
object network OBJECT_192.168.1.100
host 192.168.1.100
!
!
nat (outside,inside) 1 source static any any destination static interface OBJECT_192.168.1.100 service PORTFORWARD_TO_192.168.1.100 PORTFORWARD_TO_192.168.1.100 unidirectional
!
access-list outside_access_in line 1 extended permit tcp any object OBJECT_192.168.1.100 eq 25
nat (outside,inside) 1, I've used "1" to ensure it is on top of the existing NAT configuration
access-list outside_access_in line 1, I've used "line 1" to ensure that ACL is preceding any existing ACL that might deny packets.
Also take note "outside_access_in", your internet facing interface might be named differently. Ensure that the ACL name will match you existing one
ASKER
Thank you so much Ffleisma. This helps a lot. One more quick question...If i needed an additional port to make email work such as port 443 and others...Would i do this the following:
object service PORTFORWARD_TO_192.168.1.1
service tcp destination eq 25
service tcp destination eq 443
!
object network OBJECT_192.168.1.100
host 192.168.1.100
!
!
nat (outside,inside) 1 source static any any destination static interface OBJECT_192.168.1.100 service PORTFORWARD_TO_192.168.1.1
!
access-list outside_access_in line 1 extended permit tcp any object OBJECT_192.168.1.100 eq 25
access-list outside_access_in line 1 extended permit tcp any object OBJECT_192.168.1.100 eq 443
object service PORTFORWARD_TO_192.168.1.1
service tcp destination eq 25
service tcp destination eq 443
!
object network OBJECT_192.168.1.100
host 192.168.1.100
!
!
nat (outside,inside) 1 source static any any destination static interface OBJECT_192.168.1.100 service PORTFORWARD_TO_192.168.1.1
!
access-list outside_access_in line 1 extended permit tcp any object OBJECT_192.168.1.100 eq 25
access-list outside_access_in line 1 extended permit tcp any object OBJECT_192.168.1.100 eq 443
Just a small correction, the service object is defined for a single specific port or range of ports, so for this case we'll have to create two service object.
object service PORTFORWARD_TO_192.168.1.100_tcp25
service tcp destination eq 25
!
object service PORTFORWARD_TO_192.168.1.100_tcp443
service tcp destination eq 443
!
object network OBJECT_192.168.1.100
host 192.168.1.100
!
!
nat (outside,inside) 1 source static any any destination static interface OBJECT_192.168.1.100 service PORTFORWARD_TO_192.168.1.100_tcp25 PORTFORWARD_TO_192.168.1.100_tcp25 unidirectional
nat (outside,inside) 2 source static any any destination static interface OBJECT_192.168.1.100 service PORTFORWARD_TO_192.168.1.100_tcp443 PORTFORWARD_TO_192.168.1.100_tcp443 unidirectional
!
!
access-list outside_access_in line 1 extended permit tcp any object OBJECT_192.168.1.100 eq 25
access-list outside_access_in line 2 extended permit tcp any object OBJECT_192.168.1.100 eq 443
!
access-group outside_access_in in interface outside
We then create two NAT statement as shown above.
I've done a similar working simulation on GNS3 but with ports tcp/19 and tcp/23 (chargen/telnet) to ensure proof of concept.object network OBJECT_192.168.1.100
host 192.168.1.100
!
object network OBJECT_192.168.1.200
host 192.168.1.200
!
object service PORTFORWARD_TO_192.168.1.100_tcp23
service tcp destination eq telnet
!
object service PORTFORWARD_TO_192.168.1.100_tcp19
service tcp destination eq chargen
!
object service PORTFORWARD_TO_192.168.1.200_tcp80
service tcp destination eq http
!
object service PORTFORWARD_TO_192.168.1.200_tcp19
service tcp destination eq chargen
!
!
nat (outside,inside) 1 source static any any destination static interface OBJECT_192.168.1.100 service PORTFORWARD_TO_192.168.1.100_tcp23 PORTFORWARD_TO_192.168.1.100_tcp23 unidirectional
nat (outside,inside) 2 source static any any destination static interface OBJECT_192.168.1.100 service PORTFORWARD_TO_192.168.1.100_tcp19 PORTFORWARD_TO_192.168.1.100_tcp19 unidirectional
!
nat (outside,inside) 3 source static any any destination static interface OBJECT_192.168.1.200 service PORTFORWARD_TO_192.168.1.200_tcp80 PORTFORWARD_TO_192.168.1.200_tcp19 unidirectional
!
!
access-list inside_access_in extended permit ip any any
!
access-list outside_access_in line 1 extended permit tcp any object OBJECT_192.168.1.100 eq chargen
access-list outside_access_in line 2 extended permit tcp any object OBJECT_192.168.1.100 eq telnet
access-list outside_access_in line 3 extended permit tcp any object OBJECT_192.168.1.200 eq chargen
!
!
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
any (outside) --> 64.1.1.1:19 --> 192.168.1.100:19
any (outside) --> 64.1.1.1:23 --> 192.168.1.100:23
any (outside) --> 64.1.1.1:80 --> 192.168.1.200:19
Hope this helps and your migration goes smoothly. Let me know if you have further questions and I'll be glad to help out!
ASKER
Thank you, Ffelisma.
So, by applying the above access-lists, the ASA knows to use that external IP for translation? I dont need any additional configuration to indicate that i am translating the internal IP to external IP, correct?
And, also I see in your other example that you mentioned "access-group inside_access_in in interface inside". Do I need the following in my deployment:
access-list inside_access_in extended permit ip any any
access-group inside_access_in in interface inside
Thanks again. Other than this above, I should be good to go. You helped me so much.
Zeke
So, by applying the above access-lists, the ASA knows to use that external IP for translation? I dont need any additional configuration to indicate that i am translating the internal IP to external IP, correct?
And, also I see in your other example that you mentioned "access-group inside_access_in in interface inside". Do I need the following in my deployment:
access-list inside_access_in extended permit ip any any
access-group inside_access_in in interface inside
Thanks again. Other than this above, I should be good to go. You helped me so much.
Zeke
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thank you so much. It went well. More projects on my plate coming until we hire someone for this position.
ASKER
Great explanations.
Internet --> 64.x.x.x:21 --> 10.x.x.2:21
Internet --> 64.x.x.x:4567890 --> 10.x.x.3:123