Policy NAT 8.6(1)2 Windows Server Cluster

We have 2 email servers in a cluster on the network.  I have the cluster IP address configured for Object static NAT.  This works great for email coming into our organization.  However, when either of these 2 email servers send mail, they send using their configured IP address which is different from the cluster IP address.  Thus, the NAT'd address is different than for incoming.  It hasn't been an issue to this point, but I would like to be able to send SMTP from either server and have it NAT to the same IP used for the cluster IP.  This way, any reverse DNS lookups on the internet would show a consistent IP to name mapping for our mail servers.  I've attached a diagram.  If there is a way to force the cluster servers to use the cluster address on the Windows server side, that could be an option as well.
Thanks,
Andrew

Hi,
The actual NAT configuration used depends on how your Dynamic PAT rule for all the users of the network is configured at the moment. Mainly is it Auto NAT or Manual NAT.
Though naturally I can give you an example that includes both Dynamic PAT for all users and Dynamic PAT for the Mail servers and the Static NAT for incoming mail.
MAIL SERVER STATIC NAT
object network MAIL-SERVER
host 10.0.0.1
nat (inside,outside) static 10.10.10.140
The above configuration is the basic Static NAT configuration for a host using Auto NAT / Network Object NAT. It could be done with Manual NAT / Twice NAT also but I prefer Auto NAT / Network Object NAT
MAIL SERVER DYNAMIC PAT
object-group network MAIL-PAT-SOURCE
network-object host 10.0.0.1
network-object host 10.0.0.2
network-object host 10.0.0.3
object network MAIL-SERVER-PUBLIC
host 10.10.10.140
nat (inside,outside) after-auto source dynamic MAIL-PAT-SOURCE MAIL-SERVER-PUBLIC
The above is a normal Dynamic PAT configuration (no Policy elements involved).
The key thing to notice here is that we are entering this to the ASA before the next Dynamic PAT that catches all the rest of the source IP address. One thing to notice also is that its a Section 3 NAT rule (the lowest priority) so that it wont override any other NAT rules like the above Static NAT.
I you had your existing Dynamic PAT for all users already with a similiar configuration than last configuration example then you would have to add a line number to the NAT configuration like this
nat (inside,outside) after-auto 1 source dynamic MAIL-PAT-SOURCE MAIL-SERVER-PUBLIC
DEFAULT DYNAMIC PAT FOR USERS
nat (inside,outside) after-auto source dynamic any interface
The above is just an Dynamic PAT configuration that catches all source addresses from behind the "inside" interface and does Dynamic PAT for them when connecting to networks behind "outside". As this is inserted to the configuration after the above command it will be at a lower priority and wont apply for the 3 source hosts we specified above.
I wonder if I made this out to be more complicated than it needs to be
I guess the easiest way to determine the configuration you will need/want would be to see the current NAT configuration on the ASA
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni

Similar Messages

  • FMS 3.5 on Windows Server cluster?

    Is FMS 3.5 supported on a Windows 2003 (or better yet Windows 2008) server fail-over cluster?
    Thinking it would be nice to have an origin server clustered so no single point of failure can occur. Any thoughts?

    yes =) windows and linux
    http://www.adobe.com/devnet/flashmediaserver/articles/scaling_securing_fms3.html
    http://help.adobe.com/en_US/FlashMediaServer/3.5_AdminGuide/WS5b3ccc516d4fbf351e63e3d119f2 925d1a-7ffc.html
    regards
    Leonardo França
    Adobe Certified Expert Flex 3 with AIR
    Adobe Certified Expert Rich Internet Application Specialist v1.0
    Adobe Certified Expert Flash CS3 Professional
    Certified Professional Adobe Flex 2 Developer
    Adobe Certified Professional Flash MX 2004 Developer
    http://www.leonardofranca.com
    http://twitter/leofederal
    Manager AUGDF - Adobe User Group do Distrito Federal
    http://www.augdf.com.br
    http://twitter/augdf
    jwa10 escreveu:
    Is FMS 3.5 supported on a Windows 2003 (or better yet Windows 2008) server fail-over cluster?
    Thinking it would be nice to have an origin server clustered so no single point of failure can occur. Any thoughts?
    >

  • Windows Server 2008 R2 RRAS NAT Security Concerns

    Recently we are deploying Windows Server 2008 R2 as the NAT gateway of our private network. During the testing, we found that the RRAS was doing its job as the NAT gateway,
    however it seemed that hosts in the private network were allowed to access any listening port opened on the server side (2008 R2). In the normal scenario, the server side will have the process "wininit.exe" running and listening on the TCP port 49152.
    We confirmed that all hosts in the private network were be able to connect to TCP port 49152 opened on the server (connecting by using the NAT's public IP), which introduced lots of security concerns and made us nervous. Since the server is acting as a NAT,
    IP packets sent by hosts in the private network will be translated and forwarded as if it is generated by the NAT server itself. Thus, the windows firewall will not block the connection at all while dealing with "local" traffic, which actually is
    the traffic from the host in the private network.
    What we need is a mechanism that can block the hosts in the private network to access the TCP/UDP ports opened on the NAT server side. Since the NAT server has it IP on
    the public network assigned dynamically (DHCP), static IP filtering on the private NIC does not fit our needs (Or probably we may use some hidden but advanced filter settings?). Which policy or setting should be used in our case?

    Hi Daniel,
    I am aware of what you are suggesting. Actually I have active the windows firewall to protect the server.
    Suppose I have a network configuration as follows:
    Private Network: 192.168.149.0 / 255.255.255.0 (Private NIC on server side IP:192.168.149.1)
    --------------Windows 2008 R2 RRAS NAT--------------------
    Public Network: 10.1.0.0 / 255.255.255.0 (Public NIC on server side IP:10.1.0.100 )
    The problem is that while the windows firewall is effectively protecting my server by filtering inbound traffic from the public network, the windows firewall will not filter the traffic from
    192.168.149.0 /255.255.255.0  to  10.1.0.100 (NAT's public IP)
    The reason is that the TCP/UDP connection from the private network (192.168.149.0 / 255.255.255.0) to any other networks will be NATed. Suppose TCP connection from
    192.168.149.23:50000 -> 10.1.0.100:1023
    It will be translated by NAT and becomes
    192.168.149.23:50000 <-NAT-> 10.1.0.100:60100 -> 10.1.0.100:1023
    From the windows firewall's point of view, the connection is essentially a 'local' TCP connection and should be allowed regardless of any inbound filtering rules. So vulnerability is introduced. After some research, we are almost sure that the windows firewall
    does not filter local traffic. Also, we are not able to guarantee any firewalls on the client side to be installed, since the nature of a NAT server is to provide such network access ability to clients and should not require the client side to change its configuration.
    I do think it is a common security concern in lots of enterprise networks where Windows Servers are deployed as NAT servers. Would you mind help us address this issue and give us some advice about best-practices related?
    Thank you

  • Configuring group policy for user profiles in Windows Server 2012 R2 Domain

    Requesting some experts advise on configuring group policy for user profiles.
    We will be building new Windows Server 2012 R2 Domain Controllers (Domain of 400 users).
    The settings which I am concerned:
    1. Folder Redirection: Desktop, Documents, Favorites.
    2. Quota for Folder Redirection - 1 GB per user.
    3. Map a networked drive - 1 GB per user.
    4. Roaming profile - (Will ignore if it does not suit our requirement). 
    The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
    FYI, E-mails hosted on MS Office365 and OST file size of few users more than 25GB. So, in case the user moves from one computer to other, the entire mailbox will be downloaded via internet. This consumes high bandwidth if more than 3-4 users shift per day.
    Thanks a lot for your valuable time and efforts.

    Hi,
    >>The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
    This depends on where our outlook data files are stored. If these data files are stored under
    drive:\Users\<username>\AppData\Local, then these files can’t be redirected, for folder redirection can’t redirect appdata local or locallow.
    However, regarding your question, we can refer to the following thread to find the solution.
    Roam outlook profiles without roaming profiles
    http://social.technet.microsoft.com/Forums/office/en-US/3908b8e0-8f44-4a34-8eb5-5a024df3463e/roam-outlook-profiles-without-roaming-profiles
    In addition, regarding how to configure folder redirection, the following article can be referred to for more information.
    Configuring Folder Redirection
    http://technet.microsoft.com/library/cc786749.aspx
    Hope it helps.
    Best regards,
    Frank Shen

  • How to restrict users working on Windows 7 clients from accessing Windows Explorer and other systems in the network through Group Policy with a domain controller running on Windows Server 2008 r2

    Dear All,
    We are having an infrastructure setup of around 500 client computers managed through group policy.
    Recently the domain controllers have been migrated from Windows Server 2003 to Server 2008 R2.
    Since this account requires extremely strict environment, we need to figure the solution for restricting the users from access anything locally.
    It would be great if you can assist me with the following query.
    How to restrict users logged on Windows 7 clients from accessing Windows Explorer and browsing other systems in the network through Group Policy with a domain controller running on Windows Server 2008 r2 ?
    Can we disable Network Tab on the left hand pane ?
    explorer.exe is blocked already, but users are able to enter the Windows Explorer by clicking on the name which is visible on the Start Menu.

    >   * explorer.exe is blocked already, but users are able to enter the
    >     Windows Explorer by clicking on the name which is visible on the
    >     Start Menu.
    You cannot block explorer.exe when you do not replace the shell - the
    desktop you see effectively IS explorer.exe...
    Your requirement sounds like you need a custom shell:
    http://gpsearch.azurewebsites.net/#2812
    Martin
    Mal ein
    GUTES Buch über GPOs lesen?
    NO THEY ARE NOT EVIL, if you know what you are doing:
    Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

  • How to install unlimited strength policy files with 2003 windows server

    Hi all,
    I am working on encryption AES 256 bit key encryption.
    128 is default encryption key.But for use 256 bit encryption key need to add unlimited strength policy file with jdk.
    That is working fine on windows xp.
    Now problem
    But when i run on client machine with operating system windows 2003 server standard.
    I replaced all files under folder Java\jdk1.6.0_10\jre\lib\security with files which i am using on windows XP.
    Restarted the computer after update files but on windows server 2003 256 bit key encryption not working.
    Giving following exception
    java.security.InvalidKeyException: Illegal key size or default parameters
         javax.crypto.Cipher.a(DashoA13*..)
         javax.crypto.Cipher.a(DashoA13*..)
         javax.crypto.Cipher.a(DashoA13*..)
         javax.crypto.Cipher.init(DashoA13*..)
         javax.crypto.Cipher.init(DashoA13*..)
    Please suggest me how to run encryption on windows server 2003..
    Thanks
    Anu

    anu1106 wrote:
    I replaced all files under folder Java\jdk1.6.0_10\jre\lib\security with files which i am using on windows XP.Why? Why not just install the unlimited strength files in the normal way according to the installation instructions given in the distribution file?

  • How to configure ipsec policy on windows server 2008 r2 to permit local machine only access to gateway,one other server and it's local ip?

    I have applied IPsec policy on local machine(ip address:10.82.138.76) with windows server 2008 ent r2 installed,only permit local machine to comunicate with itself,one other server(ip address:10.82.138.77) and the gateway device(ip address:10.82.138.1).After
    i asigned this policy,i can ping the gateway (ip address:10.82.138.1),and the other server(ip address:10.82.138.77),but i can't ping local machine itself(ip address:10.82.138.76),could anybody tell me why and how to solve this problem?When i applied the same
    policy to windows server 2003 ent,i can ping the local machine ip address.

    Hi,
    Thanks for your post.
    First, try to ping the loopback address 127.0.0.1. If the loopback test succeeds but you cannot ping the local IP address, please post the unedited
    ipconfig /all and route print of the problematic computer.
    For test purpose, you may refer to the following lab step by step guide to deployment Tunnel Mode IPsec. Hope it helps.
    Windows Firewall and IPsec Policy Deployment Step-by-Step Guide
    http://technet.microsoft.com/en-us/library/cc732400(v=ws.10)
    Connection Security and IPsec
    http://technet.microsoft.com/en-us/library/cc771593(v=ws.10).aspx
    Connection Security Rule Wizard: Tunnel Endpoints Page - Client-to-Gateway
    http://technet.microsoft.com/en-us/library/dd759083
    Best Regards,
    Aiden
    Aiden Cao
    TechNet Community Support

  • Windows 8 and IE10 and 11 not accepting Proxy Settings via Group Policy from windows server 2003

    Hi
    We are still running Windows Server 2003 with a Win7 and Win8 desktop environment. I can control Win7 IE9 settings,
    But Win8 systems are running IE10. We have an internal proxy server.
    Is there any way to force the proxy settings to the Win8/IE10 or 11 systems .
    i have tried with The IE 10 .adm template and applied gpo,but does not have any proxy settings for ie10 and no changes were applies
    please can anyone help me regarding this
    i want to apply GPO from windows server 2003  to windows 8 ie10/11
    Thanks
    KNC

    Hi,   
    I agree with Zanderol24, we can install RSAT on a windows8 client, and then we can use Group Policy Management to manage group policy from the client.
    For more information about RSAT, we can refer to the following link:
    Remote Server Administration Tools (RSAT) for Windows Client and Windows Server (dsforum2wiki)
    http://social.technet.microsoft.com/wiki/contents/articles/2202.remote-server-administration-tools-rsat-for-windows-client-and-windows-server-dsforum2wiki.aspx
    For more detailed information about how to use GPP to configure the proxy setting for ie10 and ie11, we can refer to the following link:
    How to configure Group Policy Preference settings for Internet Explorer 11 in Windows 8.1 or Windows Server 2012 R2
    http://support.microsoft.com/kb/2898604
    When we use GPPs you need to be aware of the F5-F8 keys:
    Red / Green: GP Preferences doesn’t work even though the policy applied and after gpupdate \force
    http://blogs.technet.com/b/grouppolicy/archive/2008/10/13/red-green-gp-preferences-doesn-t-work-even-though-the-policy-applied-and-after-gpupdate-force.aspx
    Besides, aside from using group policy to manage IE, IEAK can also be used to do this.
    For IEAK, the following article can be referred to for more information.
    Internet Explorer Administration Kit (IEAK) Information and Downloads
    http://technet.microsoft.com/en-in/ie/bb219517.aspx
    Best Regards,
    Erin

  • Windows Server 2012 Group Policy Block USB Storage devices @ User Level Not getting applied on a Domain Client machine with Windows Server 2008 R2. Why?

    Hello,
    I have a Windows Server 2012 R2.
    I have configured the Group Policy on it to block the usage of USB - Storage Devices @ user level on the client machines. It works properly for my Windows 7 client machines but it's not working on one of the machine having Windows Server 2008 R2 installed
    on it (this machine is also a domain client in the same domain).
    I will really be thankful if anyone can suggest some solution to this issue.
    Please feel free to write back in-case I have missed anything obvious to be shared.
    Thanks!
    -Vinay Pugalia
    If a post answers your question, please click "Mark As Answer" on that post or
    "Vote as Helpful".
    Web : Inkey Solutions
    Blog : My Blog
    Email : Vinay Pugalia

    Hi,
    Any update?
    Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.
    Best Regards,
    Andy Qi
    TechNet
    Subscriber Support
    If you are TechNet
    Subscription user and have any feedback on our support quality, please send your feedbackhere.
    Andy Qi
    TechNet Community Support

  • Windows Server 2008 - Group policy for domain client to start/stop services installed on it

    Hello Experts
    I am a newbie to windows server administration , though did a Google  , but ended up with these question with my requirements
    I have created a new domain and 2 client/computer (A & B namely) to domain . Now A & B has tomcat server running with port 8080 , 9090 which i have installed
    domain ADMIN account .
    && now i am want to start/stop/restart services enabled for domain users  !! How do i achieve this !!
    basic question : How can i access A & B tomcat services on DOMAIN CONTROLLER server to create a GPO and that are on (A & B)
    what is the easiest way to achieve the same , (if not using GPO)???
    similarly I am looking for many features : where I want to control the permission to user on (A & B ) like : If the binaries of tomcat is available on machine say : A , if the user can install (now
    it ask for ADMIN credentials) 
    Thanks
    Mike~Ed

    Controlling services with Group Policy is done under Computer Configuration\Policies\Windows Settings\Security Settings\System Services.
    The limitation is that system services can only see the services the computer running the Group Policy management console. To access other services, you will either need to create the services on your computer (install the software the adds the service)
    or install the remote server administration toolkit (RSAT) on the computer with the service already on it.
    If my answer helped you, check out my blog:
    Deploy Happiness

  • Group Policy Administrative Templates not applying on Windows XP SP3 - Windows Server 2008 R2

    I have a Windows 2008 R2 domain with windows 7, and Windows XP SP3 client workstations.
    I have a group policy to deny all access to removable storage in policies/administrative templates/system in user configuration (actually its in the computer configuration as well)
    The problem is the policy is having no effect on the Windows XP machines. It works perfectly on Windows 7 machines.
    Group policy in general is working on the Windows XP machines, as I can successfully map drives, push out scheduled tasks, and push out printers. (All preferences I know and I have GP Preferences client side extensions installed).
    Its almost like the windows XP machines can't "understand" the admin templates from Windows Server 2008 R2.
    Do I need to install something on the windows XP machines? What could be the problem?

    > Its almost like the windows XP machines can't "understand" the admin
    > templates from Windows Server 2008 R2.
    Simply read the "supported on" of these settings... Vista and above
    required.
    Martin
    Mal ein
    GUTES Buch über GPOs lesen?
    NO THEY ARE NOT EVIL, if you know what you are doing:
    Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

  • Pin Programs on the Windows 7 Taskbar & Start Menu with Group Policy (Windows Server 2008 R2)

    Dear ALL,
    I want to Pin Programs on the Windows 7 Taskbar & Start Menu with Group Policy (Windows Server 2008 R2) as per below description. Can someone please help me how to proceed and achieve this. 
    Pin the following applications to the Taskbar:
    Outlook
    Pin the following applications to the Start Menu:
    Outlook
    Excel
    Word
    Internet Explorer
    Software Center
    Regards,
    Amit Kumar Rao

    https://www.google.de/search?q=windows+7+pin+to+taskbar+vbs
    Martin
    Mal ein
    GUTES Buch über GPOs lesen?
    NO THEY ARE NOT EVIL, if you know what you are doing:
    Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

  • How to join to window server with NIP policy

    how to join to window server with NIP policy?

    Since you refer to MySQL as the default database, I presume that you're talking about using PHP.
    Yes, you can link to MS SQL Server - as long as you're willing to code everything by hand. If you're looking for automated code generation, though, the answer is no.
    Even the default PHP/MySQL server behaviors are not really worth considering for professional web development. They're fine for quick prototyping, but they use deprecated functions that are not suitable for a production environment.

  • Reg retention policy in Windows server Backup

     
    Please let me know how long time the backups will be maintained in Windows server Backup.
    Is there any place where I can go and modify the retention policy?

    The statements
    "If the backup storage location is full, Windows Server Backup automatically deletes the oldest backup"
    and
    "If you do not delete the corresponding shadow copy, the backup sets will be always reserved."
    are contradictory.  As explained in the "Overview" section of the source you linked, the first statement is correct.  It is not necessary that the server admin take any action to delete shadow copies in order to implement a retention
    policy.  When the backup destination drive gets full, WSB "automatically deletes the oldest backup version" (http://blogs.technet.com/b/filecab/archive/2009/06/22/backup-version-and-space-management-in-windows-server-backup.aspx)
    This all said, this behavior and the source cited are for Windows Server 2008. 
    The automatic disk space management behavior seems to have changed in Server 2012 (for example see this link: http://technet.microsoft.com/en-us/library/jj614621.aspx).  Unfortunately I've not been able to determine
    specifically how it is different.

  • Unable to login Windows Server 2012 after making local policy changes

    Experts, we have modified the local policy setting on the windows server 2012 and badly it was domain controller now none of the users are able to login to the server. After entering the user name and password it will launch till welcome screen then it errors
    out saying user name or password incorrect. below are the steps which we followed
    1. Policy setting is located in Computer Configuration\Security Settings\Local Policies\Security Options \Network security: Configure encryption types allowed for Kerberos values change from Not Configured to DES_CBC_MD5
    2. changed user attribute msDS-SupprtdEncryptionTypes to 2 , this account we were used for kerberos authentication. 
    3. Logged off from the server and then server doesn't allow any user to login.
    regards,
    Jakk 

    Have you tried connecting to the server from a 2nd DC? Have you tried installing the RSAT tools on a domain member server and modify the offending policy ?
    last choice would be restart the DC into safe mode. 

Maybe you are looking for