- Posts: 1
- Thank you received: 0
ASA5510 Static NAT email dns problem
14 years 10 months ago #32562
by c8lzero
ASA5510 Static NAT email dns problem was created by c8lzero
Hi, I was wondering if anyone can help with the config for an ASA5510.
I have an inside and outside network with one external IP address provided by the ISP. The email server (192.168.1.100) sits on the inside network and I can successfully configure the ASA to allow email to be sent and received using the config below:
static (inside,outside) interface 192.168.1.100 netmask 255.255.255.255
access-list outside_access_in extended permit tcp any host 123.123.123.123 eq smtp
Great!!! But when I then try to configure another static NAT to a web server (192.168.1.200) on the inside network using the same outside interface. I am unable to add it as it conflicts with the existing static NAT.
Instead, I configured the first static NAT to use PAT for SMTP and then configured another static NAT using PAT for the web server. Config below:
static (inside,outside) tcp interface smtp 192.168.1.100 smtp netmask 255.255.255.255
static (inside,outside) tcp interface http 192.168.1.200 http netmask 255.255.255.255
access-list outside_access_in extended permit tcp any host 123.123.123.123 eq smtp
access-list outside_access_in extended permit tcp any host 123.123.123.123 eq http
Now external connections can reach the Web Server and Email Server
BUT
The email server is unable to send email, it is unable to resolve the domain names to IP addresses. I can't even do an nslookup on google.com and all web browsing from the server stops (the default gateway of the Email server is the ASA's LAN IP obviously).
Looking at the logs I see DNS packets (UDP 53) accessing the ISP's DNS servers on the internet but it never seems to resolve them. The source is always the email server port 53 but the reply from the internet DNS server seems to be on different ports which don't have static NAT's
I hope this makes sense to you guys so far any any help or pointers would be appreciated.
I have tried creating Static NAT's and ACL's for TCP/UDP Port 53 but it makes no difference.
I have an inside and outside network with one external IP address provided by the ISP. The email server (192.168.1.100) sits on the inside network and I can successfully configure the ASA to allow email to be sent and received using the config below:
static (inside,outside) interface 192.168.1.100 netmask 255.255.255.255
access-list outside_access_in extended permit tcp any host 123.123.123.123 eq smtp
Great!!! But when I then try to configure another static NAT to a web server (192.168.1.200) on the inside network using the same outside interface. I am unable to add it as it conflicts with the existing static NAT.
Instead, I configured the first static NAT to use PAT for SMTP and then configured another static NAT using PAT for the web server. Config below:
static (inside,outside) tcp interface smtp 192.168.1.100 smtp netmask 255.255.255.255
static (inside,outside) tcp interface http 192.168.1.200 http netmask 255.255.255.255
access-list outside_access_in extended permit tcp any host 123.123.123.123 eq smtp
access-list outside_access_in extended permit tcp any host 123.123.123.123 eq http
Now external connections can reach the Web Server and Email Server
BUT
The email server is unable to send email, it is unable to resolve the domain names to IP addresses. I can't even do an nslookup on google.com and all web browsing from the server stops (the default gateway of the Email server is the ASA's LAN IP obviously).
Looking at the logs I see DNS packets (UDP 53) accessing the ISP's DNS servers on the internet but it never seems to resolve them. The source is always the email server port 53 but the reply from the internet DNS server seems to be on different ports which don't have static NAT's
I hope this makes sense to you guys so far any any help or pointers would be appreciated.
I have tried creating Static NAT's and ACL's for TCP/UDP Port 53 but it makes no difference.
14 years 10 months ago #32575
by S0lo
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
Replied by S0lo on topic Re: ASA5510 Static NAT email dns problem
Static nat/pat super seeds both policy nat and regular nat commands. Although I don't think this is the problem, but how are the nat commands configured?
It would help if you post the full config of the ASA. You can mask out any private data.
It would help if you post the full config of the ASA. You can mask out any private data.
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
Time to create page: 0.130 seconds