Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: ASA5510 Static NAT email dns problem

ASA5510 Static NAT email dns problem 6 years 10 months ago #32562

  • c8lzero
  • c8lzero's Avatar
  • Offline
  • New Member
  • Posts: 1
  • Karma: 0
Hi, I was wondering if anyone can help with the config for an ASA5510.

I have an inside and outside network with one external IP address provided by the ISP. The email server (192.168.1.100) sits on the inside network and I can successfully configure the ASA to allow email to be sent and received using the config below:

static (inside,outside) interface 192.168.1.100 netmask 255.255.255.255
access-list outside_access_in extended permit tcp any host 123.123.123.123 eq smtp

Great!!! But when I then try to configure another static NAT to a web server (192.168.1.200) on the inside network using the same outside interface. I am unable to add it as it conflicts with the existing static NAT.

Instead, I configured the first static NAT to use PAT for SMTP and then configured another static NAT using PAT for the web server. Config below:

static (inside,outside) tcp interface smtp 192.168.1.100 smtp netmask 255.255.255.255
static (inside,outside) tcp interface http 192.168.1.200 http netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 123.123.123.123 eq smtp
access-list outside_access_in extended permit tcp any host 123.123.123.123 eq http

Now external connections can reach the Web Server and Email Server


BUT

The email server is unable to send email, it is unable to resolve the domain names to IP addresses. I can't even do an nslookup on google.com and all web browsing from the server stops (the default gateway of the Email server is the ASA's LAN IP obviously).

Looking at the logs I see DNS packets (UDP 53) accessing the ISP's DNS servers on the internet but it never seems to resolve them. The source is always the email server port 53 but the reply from the internet DNS server seems to be on different ports which don't have static NAT's

I hope this makes sense to you guys so far any any help or pointers would be appreciated.

I have tried creating Static NAT's and ACL's for TCP/UDP Port 53 but it makes no difference.
The administrator has disabled public write access.

Re: ASA5510 Static NAT email dns problem 6 years 10 months ago #32575

  • S0lo
  • S0lo's Avatar
  • Offline
  • Moderator
  • Posts: 1577
  • Thank you received: 7
  • Karma: 3
Static nat/pat super seeds both policy nat and regular nat commands. Although I don't think this is the problem, but how are the nat commands configured?

It would help if you post the full config of the ASA. You can mask out any private data.
Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
The administrator has disabled public write access.
Time to create page: 0.075 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup