Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
407
Views
0
Helpful
3
Replies

Static Policy NAT problems

m.surtees
Level 1
Level 1

‎07-13-2007 07:15 PM - edited ‎03-11-2019 03:44 AM

Hi all,

I've got a problem - a LONG one... Policy (Static) NAT. Pix 515e running 7.2(1)24. Can't really get my head round the ASDM GUI, I use it but find it un-illuminating so I'll decribe this situation using CLI output.

I've got a Svr (unfortunately MS, as I know this problem could be easily fixed on a Linux box) that sits in a DMZ and intended functions are Mail Relay and DNS (SOA). Originally tried a real (for mail) and a sub-interface (for DNS), we could use a secondary NIC but I don't see that fixing this problem.

Real: 10.0.0.25 to xlate to 20.2.2.25 (mx1.xxx.com)

Sub: 10.0.0.53 to xlate to 20.2.2.53 (ns1.xxx.com)

Obviously need to be accessable from outside so Statics are the way to go. Easily done you say, one-to-one, no probs. But remember I'm dealing with a Windoze Svr and even though you can set up DNS to use a particular address (10.0.0.53) when lookups come in they are replied using the primary address.

So someone outside does an nslookup to ns1.xxx.com (20.2.2.53), it gets xlated to 10.0.0.53, so far so good. But the reply from the server has src 10.0.0.25, which gets xlated to 20.2.2.25 on the way back (sets up it's own connection slot) and the original host doing the lookup says "no thank-you" to the reply.

As I have said this is a Windoze fault but I have to make it work on the FW.

So I use Static Policy NAT because it is said that the same internal host can be xlated to different external addresses based on ACL policy. My thought process being that I just accept that the Windoze box is going to reply from the same real address anyway.

Attached are some relevant snips from my config (IP's changed to protect the innocent), the "sh xlate" output, and the sylog messages for good measure

Thanks for you time and any help much appreciated

Mike

Labels:
Preview file
7 KB
0 Helpful
3 Replies 3

acomiskey
Level 10
Level 10

‎07-14-2007 07:53 AM

Sounds like you're making it more difficult than it needs to be. Why not just do...

static (DMZ,outside) tcp 20.2.2.25 smtp 10.0.0.25 smtp netmask 255.255.255.255

static (DMZ,outside) udp 20.2.2.53 domain 10.0.0.25 domain netmask 255.255.255.255

access-list OUTSIDE extended permit udp any host 20.2.2.53 eq domain

access-list OUTSIDE extended permit tcp any host 20.2.2.25 eq smtp

0 Helpful

m.surtees
Level 1
Level 1
In response to acomiskey

‎07-14-2007 10:12 PM

Hmm ... Looks like I might have been making it more difficult than it needs to be. Was hoping it would be something like that rather than insufficient complexity - makes documentation easier :)

Reason I got that far was because I'm pretty sure I tried that earlier, but still could not do nslookups to ns1.xxx.com. Unfortunately I still can't. But the captures I've been doing look like it is working.

Telneting to ports 25 and 53 from outside work fine, so that is good sign. UDP-53 for nslookups, as I say, looks good on the capture and on the access-lists.

On the syslog when trying an nslookup with ns1.xxx.com as server I do get build and teardown of udp-53 but I also get:

002pix %PIX-6-106100: access-list OUTSIDE denied icmp outside/205.205.205.205(3) -> DMZ/ns1.xxx.com(3) hit-cnt 1 first hit [0xb74026ad, 0x0]

I then enabled ICMP to ns1.xxx.com and my new syslog msg is:

002pix %PIX-4-313005: No matching connection for ICMP error message: icmp src outside:205.205.205.205 dst DMZ:ns1.xxx.com (type 3, code 3) on outside interface. Original IP payload: udp src ns1.asggroup.com.au/53 dst 205.205.205.205/6060.

Nevertheless this is definitely progress and I thank you for that. It's possible there could be residue issues on the Windows DNS side which I'll get those admins to look into tomorrow.

Thanks again,

Mike

0 Helpful

m.surtees
Level 1
Level 1
In response to m.surtees

‎07-20-2007 07:28 PM

Back to the same problem: Just to restate

Hi

On a PIX-515e running Ver 7.2(1)24

I have one DMZ host - 10.0.0.10 - running mail-relay and DNS (SOA)

I want to NAT smtp traffic to (resolved) mx1.blah and I want to NAT dns (both tcp-53 and udp-53 as zone transfers are invloved) to ns1.blah

Closest I can get is:

static (DMZ,outside) tcp mx1.blah smtp 10.0.0.10 smtp netmask 255.255.255.255

static (DMZ,outside) ns1.blah 10.0.0.10 netmask 255.255.255.255

... but this does not work completely. Although from the outside I can connect to mx1.blah on tcp-25 and to nx1.blah on tcp-53, and I can do nslookups using ns1.blah as server, all outbound smtp traffic gets NATed to ns1.blah and not mx1.blah.

I've tried many other options. I won't put them all down here but will let you know if I've tried any suggestions you can offer.

Is it possible? Any help much appreciated

Regards,

Mike

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card