Announcement

Collapse
No announcement yet.

ASA5510 Static NAT Email DNS Problem

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA5510 Static NAT Email DNS Problem

    Hi, I was wondering if anyone can help with the config for an ASA5510.

    I have an inside and outside network with one external IP address provided by the ISP. The email server (192.168.1.100) sits on the inside network and I can successfully configure the ASA to allow email to be sent and received using the config below:

    static (inside,outside) interface 192.168.1.100 netmask 255.255.255.255
    access-list outside_access_in extended permit tcp any host 123.123.123.123 eq smtp

    Great!!!

    But when I then try to configure another static NAT to a web server (192.168.1.200) on the inside network using the same outside interface. I am unable to add it as it conflicts with the existing static NAT.

    Instead, I configured the first static NAT to use PAT for SMTP and then configured another static NAT using PAT for the web server. Config below:

    static (inside,outside) tcp interface smtp 192.168.1.100 smtp netmask 255.255.255.255
    static (inside,outside) tcp interface http 192.168.1.200 http netmask 255.255.255.255

    access-list outside_access_in extended permit tcp any host 123.123.123.123 eq smtp
    access-list outside_access_in extended permit tcp any host 123.123.123.123 eq http

    Now external connections can reach the Web Server and Email Server


    BUT

    The email server is unable to send email, it is unable to resolve the domain names to IP addresses. I can't even do an nslookup on google.com and all web browsing from the server stops (the default gateway of the Email server is the ASA's LAN IP obviously).

    Looking at the logs I see DNS packets (UDP 53) accessing the ISP's DNS servers on the internet but it never seems to resolve them. The source is always the email server port 53 but the reply from the internet DNS server seems to be on different ports which don't have static NAT's

    I have tried creating Static NAT's and ACL's for TCP/UDP Port 53 but it makes no difference.

    I hope this makes sense to you guys so far, I am pretty new to this and keen to learn so any help or pointers would be appreciated.

    Thanks in advance

  • #2
    Re: ASA5510 Static NAT Email DNS Problem

    Try running the packet tracer which you can find in the ASDM.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: ASA5510 Static NAT Email DNS Problem

      Hi thanks for your reply, I did as you suggested and setup a packet trace from the inside interface, source port domain to the ISP DNS IP address and it worked OK - the implicit rule that lets all traffic move to a less secure network appears to let it go through OK.

      The log shows

      Nov 02 18:34:21 : Built outbound UDP connection 4778 for outside:194.72.6.57/53 (194.72.6.57/53) to inside:192.168.1.100/3187 (192.168.1.100/3187)
      Nov 02 18:36:22 : Teardown UDP connection 4778 for outside:194.72.6.57/53 to inside:192.168.1.100/3187 duration 0:02:01 bytes 49

      Which to me looks like its working but all of these types of connections seems to be 0:02:01 long as if they have reached some sort of timeout.

      It can't be a config issue with the server as it works OK with the other static in place - I am totally stumped.

      Comment


      • #4
        Re: ASA5510 Static NAT Email DNS Problem

        Try again using a internal server IP as the source IP, not the inside interface IP with Packet Tracer.

        Comment


        • #5
          Re: ASA5510 Static NAT Email DNS Problem

          Hey thanks for the help, I did try the packet trace as you suggested and it failed with DNS Inspect Fail but I think this was a red herring as the packet trace did this when DSN was working.

          I managed to figure out a working solution anyway.

          I created two dynamic NAT's for both the Web and SMTP server that used the outside interface address. I then created Static NAT's using PAT as I have done previously and heyt presto all is working as I want.

          Thanks for your time and assistance

          Comment


          • #6
            Re: ASA5510 Static NAT Email DNS Problem

            Have you enabled inspect DNS?
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment

            Working...
            X