ASA NAT (exchange server)

Hello Experts,

I will be going to our remote office this weekend to complete several projects and I need help with one of them.

I will be physically moving an exchange server from our current remote office location to the new remote location a few miles from there.

Once i have it racked and connected to the network, I will need to do some firewall configuration. I do not have much experience with the ASA firewalls and need help. Please include as much details as possible.

Internal IP: 192.168.1.100 (new internal exchange IP)
External IP: 64.x.x.x (new external exchange IP)

ASA Version: 9.0

What changes do i need to make on the ASA firewall or properly translate it (NAT) and allow email flow (port, ACL).  Currently, there is no DMZ. That will be coming in a few months from now.  Currently, there is only internal and external interface on the firewall.

Question #2 - Is it possible to use the same external IP address for two services if they are using different ports? If i assigned the same external IP address to our exchange server that our web server uses (port 80), would that be ok? Or each service requires the unique external IP address?

Thank you very much,

Zeke
Zeke2016Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ffleismaSenior Network EngineerCommented:
I will be physically moving an exchange server from our current remote office location to the new remote location a few miles from there
Are three separate ASA on each of the site? But more importantly, does each of the site; old-remote and new-remote has their own Internet or both remote site will be using the same internet at you main office for example?
if the old-remote and new-remote site each has their own ISP, most likely you have different public IP assigned for each site, hence you'll probably replace the public IP of your server once you make the move.
On the new-remote site, will this be a new setup? Meaning you'll be building the ASA from scratch given your IP address assignment or is it already existing?
Is it possible to use the same external IP address for two services if they are using different ports?
Yes, this is called Port forwarding, all the below setup can be accomplished using same public IP.
Internet --> 64.x.x.x:80 --> 10.x.x.1:80
Internet --> 64.x.x.x:21 --> 10.x.x.2:21
Internet --> 64.x.x.x:4567890 --> 10.x.x.3:123
0
Pete LongTechnical ConsultantCommented:
Please be aware to run exchange through your ASA check you are NOT doing ESMTP inspection!

show run | incl esmtp

above command will tell you, if it returns nothing you are ok, if it says inspect esmtp then you need to disable it!
Cisco ASA Disable ESMTP Inspection

Also if you are receiving mail on the Exchange server make sure your public MX records are shifted over (or there's a new one with a lower preference for the new IP)
Setting up the Correct DNS Records for your Web or Mail Server

Pete
0
Zeke2016Author Commented:
Please see my answers below...


Yes, there are separate ASA on each site.  Each location has its own internet connection.


Correct. I will use different IP, but just wanted to make sure that the new IP can be used with the email server since its already used for the web server.  Thanks for clarifying that it is possible.


The ASA is already there and functioning properly. All i have to do is make sure proper translation is performed on the ASA firewall for the exchange server.

Currently there is no DMZ.  

Setup: Exchange Server > Switch >  internal interface -ASA - external interface

If you need any additional information, please let me know.

Please provide the configuration with Port Forwarding option if possible that you mentioned above.

Thank you Ffleisma and thank you Pete.

Zeke
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

ffleismaSenior Network EngineerCommented:
Here is a configuration example of port forwarding:
outside (any source) --> 64.1.1.1:80 (firewall outside interface port 80) --> Un-NAT 192.168.1.200:19 (chargen - tcp/19)
outside (any source) --> 64.1.1.1:3389 (firewall outside interface port 3389) --> Un-NAT 192.168.1.100:19 (chargen - tcp/19)
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 64.1.1.1 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
!
object network obj_192.168.1.100
 host 192.168.1.100
 !
object network obj_192.168.1.200
 host 192.168.1.200
!
!
object service obj_tcpsmallserver
 service tcp destination eq chargen
!
object service portforward_to_192.168.1.100
 service tcp destination eq 3389
!
object service portforward_to_192.168.1.200
 service tcp destination eq www
!
object network obj_64.1.1.1
 host 64.1.1.1
!
object network obj_192.168.1.0-24
 subnet 192.168.1.0 255.255.255.0
!
!  
nat (outside,inside) 1 source static any any destination static interface obj_192.168.1.200 service portforward_to_192.168.1.200 obj_tcpsmallserver unidirectional
nat (outside,inside) 2 source static any any destination static interface obj_192.168.1.100 service portforward_to_192.168.1.100 obj_tcpsmallserver unidirectional
nat (inside,outside) 3 source dynamic obj_192.168.1.0-24 interface
!
!
access-list outside_access_in extended permit icmp any object obj_192.168.1.0-24 echo-reply
access-list outside_access_in extended permit tcp any object obj_192.168.1.200 eq chargen
access-list outside_access_in extended permit tcp any object obj_192.168.1.100 eq chargen
!
access-list inside_access_in extended permit icmp object obj_192.168.1.0-24 any echo
access-list inside_access_in extended permit ip object obj_192.168.1.0-24 any
!
!
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
!

Open in new window

Lines 1-10, are interface configuration
Lines 13-33, are object configuration which are referenced in the NAT and ACL configuration. You may choose your own naming convention. NAT configuration will only take object/object-groups when defining source/destination
Line 36, is the port forwarding configuration for 64.1.1.1:80-->192.168.1.200:19
Line 37, is the port forwarding configuration for 64.1.1.1:3389-->192.168.1.100:19
Line 38, is the PAT configuration for internal hosts (192.168.1.0/24) accessing outside (internet) are NAT/PAT to outside interface (64.1.1.1). You might have some other devices (hosts/servers) inside that requires access to internet. This NAT configuration may already be existing in your configuration.
Take note of the order of the NAT from 1-3, the port forwarding NAT configuration comes in front of the PAT configuration. If you have an existing PAT configuration, make sure that the port forwarding configuration you will place should be in front of it.
Line 41, just and ACL permitting icmp/echo-reply, used to allow reply to ping.
Line 42, is the ACL that permits outside traffic (any) to 192.168.1.200 via tcp/19. NAT is done first in the order of operation on ASA 8.3 above which translates 64.1.1.1:80-->192.168.1.200:19, then ACL is the next order of operation hence the ACL pertains to the internal IP+port and not the external IP+port
Line 43, is the ACL that permits outside traffic (any) to 192.168.1.100 via tcp/19. NAT is done first in the order of operation on ASA 8.3 above which translates 64.1.1.1:3389-->192.168.1.100:19, then ACL is the next order of operation hence the ACL pertains to the internal IP+port and not the external IP+port

You can do the following as well to port forward to same port
!
object service portforward_to_192.168.1.100
 service tcp destination eq xxx
!
object service portforward_to_192.168.1.200
 service tcp destination eq yyy
!
nat (outside,inside) 1 source static any any destination static interface obj_192.168.1.200 service portforward_to_192.168.1.200 portforward_to_192.168.1.200 unidirectional
nat (outside,inside) 2 source static any any destination static interface obj_192.168.1.100 service portforward_to_192.168.1.100 portforward_to_192.168.1.100 unidirectional
!
access-list outside_access_in extended permit tcp any object obj_192.168.1.200 eq xxx
access-list outside_access_in extended permit tcp any object obj_192.168.1.100 eq yyy

Open in new window


Hope this helps, let me know if you have further questions and I'll be glad to help you out.
0
Zeke2016Author Commented:
Thanks, Ffleisma.

What would be the exact commands I would have to use to get this done on the ASA...I will be there on my own this weekend and would not want to make a mistake and not have the users being able to use their email. I am sorry for so many qustions.

Exchange Server Internal IP: 192.168.1.100
To be translated to the outside IP 64.x.x.5 Port 25 (port forwarding)

What would the ACL look like? Do i need to create a group? I always get confused with that...and then applying it. I dont want to override existing ACL's or groups.

If you could give me the exact commands based on above information, that would help me so much.

Thank you,

Zeke
0
ffleismaSenior Network EngineerCommented:
object service PORTFORWARD_TO_192.168.1.100
 service tcp destination eq 25
!
object network OBJECT_192.168.1.100
 host 192.168.1.100 
!
!
nat (outside,inside) 1 source static any any destination static interface OBJECT_192.168.1.100 service PORTFORWARD_TO_192.168.1.100 PORTFORWARD_TO_192.168.1.100 unidirectional
!
access-list outside_access_in line 1 extended permit tcp any object OBJECT_192.168.1.100 eq 25

Open in new window

A few assumptions:
nat (outside,inside) 1, I've used "1" to ensure it is on top of the existing NAT configuration
access-list outside_access_in line 1, I've used "line 1" to ensure that ACL is preceding any existing ACL that might deny packets.
Also take note "outside_access_in", your internet facing interface might be named differently. Ensure that the ACL name will match you existing one
0
Zeke2016Author Commented:
Thank you so much Ffleisma. This helps a lot. One more quick question...If i needed an additional port to make email work such as port 443 and others...Would i do this the following:


object service PORTFORWARD_TO_192.168.1.100
 service tcp destination eq 25
service tcp destination eq 443
!
object network OBJECT_192.168.1.100
 host 192.168.1.100
!
!
nat (outside,inside) 1 source static any any destination static interface OBJECT_192.168.1.100 service PORTFORWARD_TO_192.168.1.100 PORTFORWARD_TO_192.168.1.100 unidirectional
!
access-list outside_access_in line 1 extended permit tcp any object OBJECT_192.168.1.100 eq 25
access-list outside_access_in line 1 extended permit tcp any object OBJECT_192.168.1.100 eq 443
0
ffleismaSenior Network EngineerCommented:
Just a small correction, the service object is defined for a single specific port or range of ports, so for this case we'll have to create two service object.
object service PORTFORWARD_TO_192.168.1.100_tcp25
 service tcp destination eq 25
!
object service PORTFORWARD_TO_192.168.1.100_tcp443
 service tcp destination eq 443

!
object network OBJECT_192.168.1.100
 host 192.168.1.100
!
!
nat (outside,inside) 1 source static any any destination static interface OBJECT_192.168.1.100 service PORTFORWARD_TO_192.168.1.100_tcp25 PORTFORWARD_TO_192.168.1.100_tcp25 unidirectional
nat (outside,inside) 2 source static any any destination static interface OBJECT_192.168.1.100 service PORTFORWARD_TO_192.168.1.100_tcp443 PORTFORWARD_TO_192.168.1.100_tcp443 unidirectional
!
!
access-list outside_access_in line 1 extended permit tcp any object OBJECT_192.168.1.100 eq 25 
access-list outside_access_in line 2 extended permit tcp any object OBJECT_192.168.1.100 eq 443 
!
access-group outside_access_in in interface outside

Open in new window

We then create two NAT statement as shown above.
I've done a similar working simulation on GNS3 but with ports tcp/19 and tcp/23 (chargen/telnet) to ensure proof of concept.
object network OBJECT_192.168.1.100
 host 192.168.1.100
!
object network OBJECT_192.168.1.200
 host 192.168.1.200
!
object service PORTFORWARD_TO_192.168.1.100_tcp23
 service tcp destination eq telnet
!
object service PORTFORWARD_TO_192.168.1.100_tcp19
 service tcp destination eq chargen
!
object service PORTFORWARD_TO_192.168.1.200_tcp80
 service tcp destination eq http
!
object service PORTFORWARD_TO_192.168.1.200_tcp19
 service tcp destination eq chargen
!
!
nat (outside,inside) 1 source static any any destination static interface OBJECT_192.168.1.100 service PORTFORWARD_TO_192.168.1.100_tcp23 PORTFORWARD_TO_192.168.1.100_tcp23 unidirectional
nat (outside,inside) 2 source static any any destination static interface OBJECT_192.168.1.100 service PORTFORWARD_TO_192.168.1.100_tcp19 PORTFORWARD_TO_192.168.1.100_tcp19 unidirectional
!
nat (outside,inside) 3 source static any any destination static interface OBJECT_192.168.1.200 service PORTFORWARD_TO_192.168.1.200_tcp80 PORTFORWARD_TO_192.168.1.200_tcp19 unidirectional

! 
!
access-list inside_access_in extended permit ip any any
!
access-list outside_access_in line 1 extended permit tcp any object OBJECT_192.168.1.100 eq chargen
access-list outside_access_in line 2 extended permit tcp any object OBJECT_192.168.1.100 eq telnet

access-list outside_access_in line 3 extended permit tcp any object OBJECT_192.168.1.200 eq chargen
!
!
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside

Open in new window

any (outside) --> 64.1.1.1:19 --> 192.168.1.100:19
any (outside) --> 64.1.1.1:23 --> 192.168.1.100:23
any (outside) --> 64.1.1.1:80 --> 192.168.1.200:19
Hope this helps and your migration goes smoothly. Let me know if you have further questions and I'll be glad to help out!
0
Zeke2016Author Commented:
Thank you, Ffelisma.

So, by applying the above access-lists, the ASA knows to use that external IP for translation? I dont need any additional configuration to indicate that i am translating the internal IP to external IP, correct?

And, also I see in your other example that you mentioned "access-group inside_access_in in interface inside". Do I need the following in my deployment:

access-list inside_access_in extended permit ip any any
access-group inside_access_in in interface inside


Thanks again. Other than this above, I should be good to go. You helped me so much.

Zeke
0
ffleismaSenior Network EngineerCommented:
You can think of it as two parts:
1. NAT configuration
2. Permissive ACL (access-lists)

The NAT configuration is the one that pertains to the IP bindings
64.1.1.1:25 --> 192.168.1.100:25
64.1.1.1:443 --> 192.168.1.100:433
object service PORTFORWARD_TO_192.168.1.100_tcp25
 service tcp destination eq 25
!
object service PORTFORWARD_TO_192.168.1.100_tcp443
 service tcp destination eq 443

!
object network OBJECT_192.168.1.100
 host 192.168.1.100
!
!
nat (outside,inside) 1 source static any any destination static interface OBJECT_192.168.1.100 service PORTFORWARD_TO_192.168.1.100_tcp25 PORTFORWARD_TO_192.168.1.100_tcp25 unidirectional
nat (outside,inside) 2 source static any any destination static interface OBJECT_192.168.1.100 service PORTFORWARD_TO_192.168.1.100_tcp443 PORTFORWARD_TO_192.168.1.100_tcp443 unidirectional
!

Open in new window


The ACL configuration pertains to which traffic is allowed AFTER the NAT is done by the ASA
allow source:any destination:192.168.1.100 tcp 25
allow source:any destination:192.168.1.100 tcp 443
access-list outside_access_in line 1 extended permit tcp any object OBJECT_192.168.1.100 eq 25 
access-list outside_access_in line 2 extended permit tcp any object OBJECT_192.168.1.100 eq 443 
!
access-group outside_access_in in interface outside

Open in new window

And, also I see in your other example that you mentioned "access-group inside_access_in in interface inside". Do I need the following in my deployment:
You probably already have something similar or more source/destination (IP/port) specific in your setup as you mentioned about an existing web server previously.

Now I'm not familiar with how your current configuration is, but if you could provide a sanitized (hash out public IP and usernames/passwords), I might be able to comment on what is exactly needed to be added.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Zeke2016Author Commented:
Thank you so much. It went well. More projects on my plate coming until we hire someone for this position.
0
Zeke2016Author Commented:
Great explanations.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.