I've got a problem - a LONG one... Policy (Static) NAT. Pix 515e running 7.2(1)24. Can't really get my head round the ASDM GUI, I use it but find it un-illuminating so I'll decribe this situation using CLI output.
I've got a Svr (unfortunately MS, as I know this problem could be easily fixed on a Linux box) that sits in a DMZ and intended functions are Mail Relay and DNS (SOA). Originally tried a real (for mail) and a sub-interface (for DNS), we could use a secondary NIC but I don't see that fixing this problem.
Real: 10.0.0.25 to xlate to 220.127.116.11 (mx1.xxx.com)
Sub: 10.0.0.53 to xlate to 18.104.22.168 (ns1.xxx.com)
Obviously need to be accessable from outside so Statics are the way to go. Easily done you say, one-to-one, no probs. But remember I'm dealing with a Windoze Svr and even though you can set up DNS to use a particular address (10.0.0.53) when lookups come in they are replied using the primary address.
So someone outside does an nslookup to ns1.xxx.com (22.214.171.124), it gets xlated to 10.0.0.53, so far so good. But the reply from the server has src 10.0.0.25, which gets xlated to 126.96.36.199 on the way back (sets up it's own connection slot) and the original host doing the lookup says "no thank-you" to the reply.
As I have said this is a Windoze fault but I have to make it work on the FW.
So I use Static Policy NAT because it is said that the same internal host can be xlated to different external addresses based on ACL policy. My thought process being that I just accept that the Windoze box is going to reply from the same real address anyway.
Attached are some relevant snips from my config (IP's changed to protect the innocent), the "sh xlate" output, and the sylog messages for good measure
Hmm ... Looks like I might have been making it more difficult than it needs to be. Was hoping it would be something like that rather than insufficient complexity - makes documentation easier :)
Reason I got that far was because I'm pretty sure I tried that earlier, but still could not do nslookups to ns1.xxx.com. Unfortunately I still can't. But the captures I've been doing look like it is working.
Telneting to ports 25 and 53 from outside work fine, so that is good sign. UDP-53 for nslookups, as I say, looks good on the capture and on the access-lists.
On the syslog when trying an nslookup with ns1.xxx.com as server I do get build and teardown of udp-53 but I also get:
002pix %PIX-6-106100: access-list OUTSIDE denied icmp outside/188.8.131.52(3) -> DMZ/ns1.xxx.com(3) hit-cnt 1 first hit [0xb74026ad, 0x0]
I then enabled ICMP to ns1.xxx.com and my new syslog msg is:
002pix %PIX-4-313005: No matching connection for ICMP error message: icmp src outside:184.108.40.206 dst DMZ:ns1.xxx.com (type 3, code 3) on outside interface. Original IP payload: udp src ns1.asggroup.com.au/53 dst 220.127.116.11/6060.
Nevertheless this is definitely progress and I thank you for that. It's possible there could be residue issues on the Windows DNS side which I'll get those admins to look into tomorrow.
... but this does not work completely. Although from the outside I can connect to mx1.blah on tcp-25 and to nx1.blah on tcp-53, and I can do nslookups using ns1.blah as server, all outbound smtp traffic gets NATed to ns1.blah and not mx1.blah.
I've tried many other options. I won't put them all down here but will let you know if I've tried any suggestions you can offer.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :