From: Sergey Golovanov (sergey.golovanov@iementor.com)
Date: Wed Mar 07 2007 - 20:22:32 ART
I thought through this thoroughly, and I don't believe this would be possible to achieve.
something like this is not allowed:
access-list SMTP permit tcp any eq smtp host YOUR_SMTP_SERVER_PUBLIC_IP
access-list SMTP permit tcp any host YOUR_SMTP_SERVER_PUBLIC_IP eq smtp
static (outside,dmz) tcp zzz.zzz.zzz.zzz smtp access-list SMTP
and even something simple like this is not allowed either:
access-list SMTP permit ip any host YOUR_SMTP_SERVER_PUBLIC_IP
static (outside,dmz) zzz.zzz.zzz.zzz access-list SMTP
The ACL for "policy PAT" needs real ip as a source (which is your outside SMTP servers that you don't want to specify and just want to say ANY), and foreign ip as a destination (which is your server's Public IP in this case). Static command won't allow you to use the static command in this case, it will complain that REAL_IP (any) MASK (0.0.0.0) doesn't match the MAPPED_IP (zzz.zzz.zzz.zzz) mask (255.255.255.255). So this kind of policy PAT would only work from higher security interface to a lower security interface, such as (dmz, outside).... but that's not what you want here.
The "outside" nat (aka destination nat, or bidirectional nat) you are referring to is done with an "outside" keyword on the nat command. There's no such keyword on static command. You achieve destination nat on a static command by switching interfaces in the (outside,dmz).
There's actually couple of bugs with Cisco's policy NAT implementation even in the recent ASA interim releases. Access-lists with TCP/UDP ports specified don't seem to have any affect on policy PAT :(
--------------------------------------------------------------------
Sergey Golovanov, CCIEx5 (R&S/Security/Voice/Service Provider/Storage)
"Please, don't ask me for my ccie #, there are reasons why I can't release it"
ieMentor Instructor and Content Developer
sergey.golovanov@iementor.com
http://www.iementor.com
> -------Original Message-------
> From: h-tomikawa <tomimma@gmail.com>
> Subject: PIX & ASA: Destination NAT (Possible?)
> Sent: Mar 07 '07 17:27
>
> Hello all,
>
> Can PIX or ASA (7.2) do destination NAT? What I want to try is this.
>
> The mail server located in DMZ try to send SMTP mail to internet STMP
> servers.
> At this moment, this mail server will send mail according each mail
> destination servers. (internet)
>
> Instead of this, I would like to forward all SMTP traffic to one IP address.
> I know destination nat like:
>
> static (outside,dmz) xxx.xxx.xxx.xxx zzz.zzz.zzz.zzz does destination NAT,
> but you need to know
> particular destination IP address to change its destination.
>
> Is there anyway to do: any traffic with smtp will change destination to
> zzzz.zzzz.zzzz.zzzz.
>
> Thank you
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:50 ART