Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Static Policy NAT problems

Hi all,

I've got a problem - a LONG one... Policy (Static) NAT. Pix 515e running 7.2(1)24. Can't really get my head round the ASDM GUI, I use it but find it un-illuminating so I'll decribe this situation using CLI output.

I've got a Svr (unfortunately MS, as I know this problem could be easily fixed on a Linux box) that sits in a DMZ and intended functions are Mail Relay and DNS (SOA). Originally tried a real (for mail) and a sub-interface (for DNS), we could use a secondary NIC but I don't see that fixing this problem.

Real: 10.0.0.25 to xlate to 20.2.2.25 (mx1.xxx.com)

Sub: 10.0.0.53 to xlate to 20.2.2.53 (ns1.xxx.com)

Obviously need to be accessable from outside so Statics are the way to go. Easily done you say, one-to-one, no probs. But remember I'm dealing with a Windoze Svr and even though you can set up DNS to use a particular address (10.0.0.53) when lookups come in they are replied using the primary address.

So someone outside does an nslookup to ns1.xxx.com (20.2.2.53), it gets xlated to 10.0.0.53, so far so good. But the reply from the server has src 10.0.0.25, which gets xlated to 20.2.2.25 on the way back (sets up it's own connection slot) and the original host doing the lookup says "no thank-you" to the reply.

As I have said this is a Windoze fault but I have to make it work on the FW.

So I use Static Policy NAT because it is said that the same internal host can be xlated to different external addresses based on ACL policy. My thought process being that I just accept that the Windoze box is going to reply from the same real address anyway.

Attached are some relevant snips from my config (IP's changed to protect the innocent), the "sh xlate" output, and the sylog messages for good measure

Thanks for you time and any help much appreciated

Mike

3 REPLIES
Green

Re: Static Policy NAT problems

Sounds like you're making it more difficult than it needs to be. Why not just do...

static (DMZ,outside) tcp 20.2.2.25 smtp 10.0.0.25 smtp netmask 255.255.255.255

static (DMZ,outside) udp 20.2.2.53 domain 10.0.0.25 domain netmask 255.255.255.255

access-list OUTSIDE extended permit udp any host 20.2.2.53 eq domain

access-list OUTSIDE extended permit tcp any host 20.2.2.25 eq smtp

New Member

Re: Static Policy NAT problems

Hmm ... Looks like I might have been making it more difficult than it needs to be. Was hoping it would be something like that rather than insufficient complexity - makes documentation easier :)

Reason I got that far was because I'm pretty sure I tried that earlier, but still could not do nslookups to ns1.xxx.com. Unfortunately I still can't. But the captures I've been doing look like it is working.

Telneting to ports 25 and 53 from outside work fine, so that is good sign. UDP-53 for nslookups, as I say, looks good on the capture and on the access-lists.

On the syslog when trying an nslookup with ns1.xxx.com as server I do get build and teardown of udp-53 but I also get:

002pix %PIX-6-106100: access-list OUTSIDE denied icmp outside/205.205.205.205(3) -> DMZ/ns1.xxx.com(3) hit-cnt 1 first hit [0xb74026ad, 0x0]

I then enabled ICMP to ns1.xxx.com and my new syslog msg is:

002pix %PIX-4-313005: No matching connection for ICMP error message: icmp src outside:205.205.205.205 dst DMZ:ns1.xxx.com (type 3, code 3) on outside interface. Original IP payload: udp src ns1.asggroup.com.au/53 dst 205.205.205.205/6060.

Nevertheless this is definitely progress and I thank you for that. It's possible there could be residue issues on the Windows DNS side which I'll get those admins to look into tomorrow.

Thanks again,

Mike

New Member

Re: Static Policy NAT problems

Back to the same problem: Just to restate

Hi

On a PIX-515e running Ver 7.2(1)24

I have one DMZ host - 10.0.0.10 - running mail-relay and DNS (SOA)

I want to NAT smtp traffic to (resolved) mx1.blah and I want to NAT dns (both tcp-53 and udp-53 as zone transfers are invloved) to ns1.blah

Closest I can get is:

static (DMZ,outside) tcp mx1.blah smtp 10.0.0.10 smtp netmask 255.255.255.255

static (DMZ,outside) ns1.blah 10.0.0.10 netmask 255.255.255.255

... but this does not work completely. Although from the outside I can connect to mx1.blah on tcp-25 and to nx1.blah on tcp-53, and I can do nslookups using ns1.blah as server, all outbound smtp traffic gets NATed to ns1.blah and not mx1.blah.

I've tried many other options. I won't put them all down here but will let you know if I've tried any suggestions you can offer.

Is it possible? Any help much appreciated

Regards,

Mike

215
Views
0
Helpful
3
Replies
CreatePlease login to create content