Skip to main content

ASA5510 Static NAT email dns problem

More
15 years 3 weeks ago #32562 by c8lzero
Hi, I was wondering if anyone can help with the config for an ASA5510.

I have an inside and outside network with one external IP address provided by the ISP. The email server (192.168.1.100) sits on the inside network and I can successfully configure the ASA to allow email to be sent and received using the config below:

static (inside,outside) interface 192.168.1.100 netmask 255.255.255.255
access-list outside_access_in extended permit tcp any host 123.123.123.123 eq smtp

Great!!! But when I then try to configure another static NAT to a web server (192.168.1.200) on the inside network using the same outside interface. I am unable to add it as it conflicts with the existing static NAT.

Instead, I configured the first static NAT to use PAT for SMTP and then configured another static NAT using PAT for the web server. Config below:

static (inside,outside) tcp interface smtp 192.168.1.100 smtp netmask 255.255.255.255
static (inside,outside) tcp interface http 192.168.1.200 http netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 123.123.123.123 eq smtp
access-list outside_access_in extended permit tcp any host 123.123.123.123 eq http

Now external connections can reach the Web Server and Email Server


BUT

The email server is unable to send email, it is unable to resolve the domain names to IP addresses. I can't even do an nslookup on google.com and all web browsing from the server stops (the default gateway of the Email server is the ASA's LAN IP obviously).

Looking at the logs I see DNS packets (UDP 53) accessing the ISP's DNS servers on the internet but it never seems to resolve them. The source is always the email server port 53 but the reply from the internet DNS server seems to be on different ports which don't have static NAT's

I hope this makes sense to you guys so far any any help or pointers would be appreciated.

I have tried creating Static NAT's and ACL's for TCP/UDP Port 53 but it makes no difference.
More
15 years 2 weeks ago #32575 by S0lo
Static nat/pat super seeds both policy nat and regular nat commands. Although I don't think this is the problem, but how are the nat commands configured?

It would help if you post the full config of the ASA. You can mask out any private data.

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
Time to create page: 0.116 seconds