ASA 5510 DNS translation fails over TCP, UDP OK

tecxperts · ‎08-07-2008

We recently installed an ASA 5510 with an inside and DMZ network. There is a Windows SMTP server on the inside, and multiple Windows 2000 Servers on the DMZ side.

DNS Doctoring is setup and working on both sides, DNS servers are on the Internet.

The DMZ servers can no longer send email destined to the SMTP server on the inside network. The problem is the DNS MX reply returns the public IP, not the proper private IP. However, the DNS MX record resolves fine for that server on the inside network with a NSLookup, and all other traffic.

After a lot of head banging, I found that DNS translation works over UDP, but if I force NSlookup to use DNS over TCP, the translation doesn't happen. The SMTP DNS request is being sent over TCP for some reason, which I haven't been able to affect. I have turned off the maximum 512 byte DNS limitation, but that still didn't allow the UDP version to go through.

Does anyone know how to force the DNS translation to happen when the computer resorts to DNS over TCP?

I can post the relative config if it will help.

I'll appreciate any help or suggestions anyone can provide. - Thanks!

Marwan ALshawi · ‎08-07-2008

i think if u post it better

tecxperts · ‎08-07-2008

Attached is the config if it helps, Thanks.

tecxperts · ‎08-11-2008

Resolved!

In case anyone else runs into this, here was what caused the issue:

When configuring the NAT to allow the Inside network talk to the DMZ, I nat'd an inside IP to a DMZ IP (ie. both private IP's for their network)

static (Inside,dmz) 10.1.9.60 10.1.10.60 netmask 255.255.255.255

should have been:

static (Inside,dmz) 61.x.x.60 10.1.10.60 netmask 255.255.255.255

I had to modify the security rules to get it working, but that was simple after the rest.