Is this possible... SMTP/HTTP on ASA Firewall

[cpals]

Trying to wrap my head around this as I can't figure out how to do this correctly.

We currently have an ISA server NATed to the outside that also accepts our port 80 and 25 traffic. It then forwards the 80 traffic to our internal mail server for OWA and 25 traffic to our spam appliance. We're trying to eliminate the ISA from this flow and connect the mail and spam appliance directly to a DMZ IP. Only thing is that my boss wants us to keep the same IP for both ports.

I'm used to doing a 1 to 1 NAT and allowing/blocking incoming ports, but now I'm trying to figure out how to do a PAT I guess is what it would be?

Desired setup:
Outside --> 1.1.1.1 DMZ IP (port 80) --> 192.168.1.2 MAIL IP (port 80)
Outside --> 1.1.1.1 DMZ IP (port 25) --> 192.168.1.5 SPAM IP (port 25)

So outside IP would be the same, but depending on the port it will route differently. I don't believe this will work because the two servers going out need to show up to the internet as the same IP, but I can't verify if I'm thinking this through correctly.

Thanks!

 

[spidey07]

It will work just fine. That's exactly what PAT does.

 

[cpals]

And outgoing will work in reverse? IE:

192.168.1.2 MAIL IP (port 80) --> 1.1.1.1 DMZ IP (port 80) --> Outside
192.168.1.5 SPAM IP (port 25) --> 1.1.1.1 DMZ IP (port 25) --> Outside

So internal are different, but show up outside the same. The IP would be some ip in a /27 on the DMZ interface.

 

[Nothinman]

Outbound will work fine and be handled just like any other outbound connection unless you specify otherwise.

 

[cpals]

Outbound will work fine and be handled just like any other outbound connection unless you specify otherwise.

Exactly - our outbound IP (IP on the outside interface) is where all regular outbound traffic would show up as. But I need my mail server to show up as the DMZ IP I specified (for reverse DNS lookups, etc). Would that work?

 

[spidey07]

Exactly - our outbound IP (IP on the outside interface) is where all regular outbound traffic would show up as. But I need my mail server to show up as the DMZ IP I specified (for reverse DNS lookups, etc). Would that work?

Yes. Otherwise NAT or PAT wouldn't work. What you're describing is what PAT does. It maps layer3 address as well as layer4 addresses (port numbers).

 

[cpals]

Sorry for prolonging this further, but it doesn't seem to be working. Here is the code that I have used:

static (Inside,Outside) tcp 67.x.x.17 smtp 192.168.1.83 smtp netmask 255.255.255.255
static (Inside,Outside) tcp 67.x.x.17 www 192.168.1.22 www netmask 255.255.255.255

So Out->In works properly. I get my SMTP prompt for my spam appliance and I get the website for our exchange OWA.

However, for testing purposes, I tried to access 'whatismyip.com' from my exchange server (which has port 80 translated to it) and it gives the IP of our ASA interface and not the 67.x.x.17 IP. Shouldn't it give the IP that I assigned to it since it's going to a port 80 address on the 'whatismyip.com' website?

The end goal is for the SMTP to work like my HTTP example, but I couldn't think of an easy way to test like the 'whatismyip.com' website.

 

[spidey07]

It's working as designed. You did the PAT for inbound connections and that is working, the return traffic is getting PAT'ed as well otherwise TCP would fail.

If you want outbound connections initiated by inside hosts you'll have to setup the NAT/PAT for that as well.

Direction and who starts the conversation matter, it's a NAT/PAT/state table thing.