Re: ASA 5520 port redirection help.

First of all- ouch, Joe! With friends like you, who needs enemies? ;)
 
You
are also assuming this is first class ISP/DNS in the US. Half of these guys
are in countries that are lucky to have running water, so it's hard to assume.
 
Regards,
Jay McMickle- CCNP, CCSP, CCDP, MCSE
http://mycciepursuit.wordpress.com/

From: Joseph L. Brunner
<joe_at_affirmedsystems.com>
To: Jay McMickle <jay.mcmickle_at_yahoo.com>; Mahmoud
Nossair <mahmoud.nossair_at_gmail.com>; "ccielab_at_groupstudy.com"
<ccielab_at_groupstudy.com>
Cc: "pbhatkoti_at_gmail.com" <pbhatkoti_at_gmail.com>;
'Ryan West' <rwest_at_zyedge.com>
Sent: Monday, September 5, 2011 5:56 PM
Subject: RE: ASA 5520 port redirection help.

>need both up while your DNS is
propogating. If that's the case, stand up another firewall and NAT each of
the Private to publics on each one for those 72 hours.

DNS took 72 hours to
"propagate" in 1995. Most global dns servers now only accept max 4 hours
(while 80% or more use 1 hour) REGARDLESS of the TTL in your zones, FYI.

I
have never done a cutover that took more than 30 minutes to pick up the
changes though in the last 4 years...

-Joe

-----Original Message-----
From:
nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Jay McMickle
Sent: Monday, September 05, 2011 8:28 AM
To: Mahmoud Nossair;
ccielab_at_groupstudy.com
Cc: pbhatkoti_at_gmail.com; 'Ryan West'
Subject: Re: ASA
5520 port redirection help.

Your summary is correct.

Policy nat is outbound
only.
Static NAT is both.

You can't statically nat two publics, on the same
port, to a single internal
host.

It might help the group if we had more
business justification for what
you are trying to accomplish, and why. It
might also help if you emailed the
CCIE Security Group instead of R&S? ;)

I
am hoping you natting two public's
to a single internal IP is because you are
migrating SMTP hosts and you need
both up while your DNS is propogating. If
that's the case, stand up another
firewall and NAT each of the Private to
publics on each one for those 72
hours.

There was a good recommendation to
change your DNS timeouts to 1
hour. This should be propogated after a few
days, and then you can update
your DNS to point to your MX records and migrate
with only an hour of an
outage. Furthermore, the emails won't bounce, but
rather, hold in the sending
SMTP queue until the record is updated. This
should minimize or eliminate any
perceived outage.

If you need further help,
please explain your goals in
detail so that we aren't providing useless steps
or information.

Have a
goood day.

Regards,
Jay McMickle- CCNP, CCSP, CCDP,
MCSE
http://mycciepursuit.wordpress.com/

From: Mahmoud Nossair
<mahmoud.nossair_at_gmail.com>
To: ccielab_at_groupstudy.com
Cc:
pbhatkoti_at_gmail.com; 'Jay McMickle' <jay.mcmickle_at_yahoo.com>; 'Ryan West'
<rwest_at_zyedge.com>
Sent: Monday, September 5, 2011 4:35 AM
Subject: RE: ASA
5520 port redirection help.

Dear Experts
Thanks for your kind responses,
I am
not a Firewall Expert, so please excuse me. As I understood I will do
Policy
NAT in Outbound direction and Static PAT in Inbound direction
wright???? But
how could I do Inbound static PAT while I am getting the
mentioned error "
ERROR: duplicate of existing static >> TCP
dmz:192.168.1.11/25 to
outside:x.x.6.5/25 netmask 255.255.255.255"

BR
Mahmoud Nossair
-----Original
Message-----
From: Ryan West [mailto:rwest_at_zyedge.com]
Sent:
Sunday,
September 04, 2011 7:10 PM
To: Jay McMickle
Cc: Mahmoud Nossair;
<ccielab_at_groupstudy.com>
Subject: RE: ASA 5520 port redirection help.

Answer
is still valid for the first question. Seem that a smarthost would
handle the
second.

-----Original Message-----
From: Jay McMickle
[mailto:jay.mcmickle_at_yahoo.com]
Sent: Sunday, September 04, 2011 12:04 PM
To:
Ryan West
Cc: Mahmoud Nossair; <ccielab_at_groupstudy.com>
Subject: Re: ASA 5520
port redirection help.

Right, but policy-nat, as you pointed out, is only
outbound.

Regards,
Jay McMickle- CCNP,CCSP,CCDP
Sent from my iPhone
http://mycciepursuit.wordpress.com

On Sep 4, 2011, at 10:56 AM, Ryan West
<rwest_at_zyedge.com> wrote:

> Yes, but as frog pointed out, you can static PAT
and policy NAT to two
different external addresses. Traffic state will keep
the external to
internal path when replying outbound. Outbound traffic from
the server in a
PAT / policy NAT configuration would use dynamic PAT.
>
>
-ryan
>
> -----Original Message-----
> From: nobody_at_groupstudy.com
[mailto:nobody_at_groupstudy.com] On Behalf
> Of Jay McMickle
> Sent: Sunday,
September 04, 2011 11:48 AM
> To: Mahmoud Nossair
> Cc:
<ccielab_at_groupstudy.com>
> Subject: Re: ASA 5520 port redirection help.
>
>
You can't PAT the same port to two destinations, sorry.
>
> You could put the
Exchange server in parallel for a few days (outside the
firewall, not
recommended) while your DNS migrates, or use a separate
firewall in the
meantime. If your ASA is a pair, you could break the
failover so that 6.5 was
on one firewall, and 6.8 would be on the other.
This would only be temporary
while your DNS is updating and propagating.
>
> Hope this helps.
>
>
Regards,
> Jay McMickle- CCNP,CCSP,CCDP
> Sent from my iPhone
>
http://mycciepursuit.wordpress.com
>
>
> On Sep 4, 2011, at 4:28 AM,
"Mahmoud Nossair" <mahmoud.nossair_at_gmail.com>
wrote:
>
>> Dear Experts
>>
>>
How could I map two outside addresses (Global IPs)to the same inside
>>
Server in ASA 5520 firewall?
>> Actually we have an SMTP server gateway, and
two Exchange servers
>> connecting to it, so how can I redirect all external
SMTP traffic for
>> the Exchange servers and send it to the SMTP gateway.
>>
>> When I do this on the firewall, I got an error
>>
>> static (dmz,outside)
tcp x.x.6.5 smtp 192.168.1.11 smtp netmask
>> 255.255.255.255 static
(dmz,outside) tcp x.x.6.8 smtp 192.168.1.11
>> smtp netmask 255.255.255.255
>> ERROR: duplicate of existing static
>> TCP dmz:192.168.1.11/25 to
outside:x.x.6.5/25 netmask 255.255.255.255
>>
>> Please advise
>>
>> Thanks
in advance
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>>
Received on Mon Sep 05 2011 - 18:00:59 ART