×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

DNS Issues with Exchange 2000 behind ASA

Unanswered Question
Jul 7th, 2006
User Badges:


We've got an ASA5510 that is blocking outbound mails for certain domains (for other domains there's no problem, there are no issues with any inbound mails as well). The mail server keeps logging this "The DNS server encountered an invalid domain name in a packet from x.x.96.17. The packet is rejected." and the mails for those domains are hold in the queues of the mail server, but aren't sent.

We changed the DNSs in the mail server but the problem continues and we know for sure that the problem is the ASA because we installed the old firewall back and all the mail kept in the queues were immediately sent.


The address x.x.110.210 es the IP Source of the outbound traffic from SRV_MAIL_ARRIOLA (which is the main mail server). I wonder if the command "global (OUTSIDE) 2 NAT_SRV_MAIL_ARRIOLA netmask 255.255.255.240 " is OK? or the netmask should be 255.255.255.255 ?


The smtp inbound traffic for x.x.110.210 goes to SRV_SCM, which is the antispam server, but again, there's no problem with inbound mails.


****************

interface Ethernet0/0

nameif OUTSIDE

security-level 0

ip address x.x.110.213 255.255.255.240

name 192.0.1.199 SRV_SCM

name 192.0.1.200 SRV_MAIL_ARRIOLA

name x.x.110.210 NAT_SRV_MAIL_ARRIOLA


global (OUTSIDE) 1 interface

global (OUTSIDE) 2 NAT_SRV_MAIL_ARRIOLA netmask 255.255.255.240

nat (INSIDE) 0 access-list INSIDE_nat0_outbound

nat (INSIDE) 2 SRV_MAIL_PARINACO 255.255.255.255

nat (INSIDE) 2 SRV_SCM 255.255.255.255

nat (INSIDE) 2 SRV_MAIL_ARRIOLA 255.255.255.255

nat (INSIDE) 1 192.0.0.0 255.255.255.0

nat (INSIDE) 1 192.0.1.0 255.255.255.0

nat (INSIDE) 1 192.0.2.0 255.255.255.0

static (INSIDE,OUTSIDE) tcp NAT_SRV_MAIL_ARRIOLA www SRV_MAIL_ARRIOLA www netmask 255.255.255.255

static (INSIDE,OUTSIDE) tcp NAT_SRV_MAIL_ARRIOLA https SRV_MAIL_ARRIOLA https netmask 255.255.255.255

static (INSIDE,OUTSIDE) tcp NAT_SRV_MAIL_ARRIOLA pop3 SRV_MAIL_ARRIOLA pop3 netmask 255.255.255.255

static (INSIDE,OUTSIDE) tcp NAT_SRV_MAIL_ARRIOLA 3389 SRV_MAIL_ARRIOLA 3389 netmask 255.255.255.255

static (INSIDE,OUTSIDE) tcp NAT_SRV_MAIL_ARRIOLA smtp SRV_SCM smtp netmask 255.255.255.255


object-group network SRVS_CON_SALIDA

network-object host SRV_MAIL_PARINACO

network-object host SRV_SCM

network-object host SRV_MAIL_ARRIOLA

access-list INSIDE_access_in extended permit tcp object-group SRVS_CON_SALIDA any object-group HTTP-HTTPS-DNS-FTP-SMTP-POP3 log debugging

access-list INSIDE_access_in extended permit udp object-group SRVS_CON_SALIDA any eq domain log debugging


policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map type inspect dns dns_map_test

parameters

no dns-guard

no protocol-enforcement

no nat-rewrite

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

inspect http

inspect esmtp

inspect dns preset_dns_map

service-policy global_policy global

****************



What we suspect is that some default behavior of the service-policy is blocking some DNS querys, or maybe the "inspect esmtp" command somehow is blocking.


The only remarkable logs that I captured are these, but are from a couple of days ago, and I haven't see them again.


3|Jul 04 2006|17:17:13|305006|DNS1||regular translation creation failed for icmp src INSIDE:SRV_MAIL_ARRIOLA dst OUTSIDE:DNS1 (type 3, code 3)

3|Jul 04 2006|17:17:13|305006|DNS1||regular translation creation failed for icmp src INSIDE:SRV_MAIL_ARRIOLA dst OUTSIDE:DNS1 (type 3, code 3)

I attached the config. Hope you can help us. Thanks in advance.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Fernando_Meza Sat, 07/08/2006 - 02:29
User Badges:
  • Gold, 750 points or more

Hi .. you need to specify a mask of 255.255.255.255 for your global NAT ... instead .240


I hope it helps ... please rate if it does !!!!



Actions

This Discussion