cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1349
Views
0
Helpful
11
Replies

Webmail not opening from inside IPs

Dear All,

We are unable to access webmail from inside ips using https://mail.companyname .  but we can access same thing from outside internet.

We use IP from our pool public IP for PAT as well as this webmail natting.

Is there any way we can access webmail from inside ips

we have asa 8.2 (1)

Thanks

1 Accepted Solution

Accepted Solutions

Shibu,

These U-Turn x-lates may cause issue later on and may become very hard to manage, troubleshoot and maintain. These are hacks that are used to get things working that are not configured as they should.

My suggestion would be to configure your inside DNS server properly so that it returns the private ip address for the name mail.company.com

-KS

View solution in original post

11 Replies 11

Kureli Sankar
Cisco Employee
Cisco Employee

Shibu,

When you ping mail.company name from the inside hosts what do you get? The inside IP of webmail or outside IP of webmail?

Where is your DNS server?

Is this an internal DNS server?

Why doesn't it resolve to the inside IP of webmail?

On the browser issue http://inside_ip_address/exchange and see if it loads (I am assuming it is exchange).

If it does then pls. change the inside DNS server to hand out the inside IP address when computers want to resolve mail.company


-KS

Dear Kusankar,

Thanks for the reply.

Please find my answers.

When you ping mail.company name from the inside hosts what do you get? The inside IP of webmail or outside IP of webmail?

I get outside IP of webmail when i ping mail.company.net.

Where is your DNS server

In PCs we have local server as DNS server . in the DNS server we have given our ISP dns severs IP in forweded list.

Is this an internal DNS server?

In PCs we have local server as DNS server . in the DNS server we have given our ISP dns severs IP in forweded list.

Why doesn't it resolve to the inside IP of webmail?

On the browser issue http://inside_ip_address/exchange and see if it loads (I am assuming it is exchange).

If it does then pls. change the inside DNS server to hand out the inside IP address when computers want to resolve mail.company

How to do this DNS handout ?

Please find below some partial configuration of my ASA.

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address *.186 255.255.255.252

!

interface Ethernet0/1

nameif BACKUP

security-level 0

ip address *.202 255.255.255.248

!

interface Ethernet0/2

nameif INSIDE

security-level 100

ip address 10.10.10.10 255.255.255.0

access-list outside_access_in extended permit tcp any host 94.200.* eq https

 

global (outside) 1 interface

global (outside) 3 94.*

global (BROADCAST) 2 10.20.2.11-10.20.2.15 netmask 255.255.255.0

nat (INSIDE) 0 access-list INSIDE_nat0_outbound

nat (INSIDE) 2 access-list INSIDE_BROADCAST

nat (INSIDE) 3 access-list ROUTE_ADSL

nat (INSIDE) 1 0.0.0.0 0.0.0.0

static (INSIDE,outside) 94.* CASServer2 netmask 255.255.255.255

access-group outside_access_in in interface outside

 

route outside 0.0.0.0 0.0.0.0 94.* 1 track 1

route BACKUP 0.0.0.0 0.0.0.0 94.* 254

 

 

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ftp

inspect esmtp

class class-default

flow-export event-type all destination 10.10.2.16 10.10.2.26

policy-map my-ips-policy

class my-ips-class

ips inline fail-open

 

Thanks

Who manages your inside DNS server? Is this Microsoft DNS server?  It needs to be done there.

Create a zone file for your domain and add "A" records for all the sites that you host. Like

ftp.mycompany.com

mail.mycompany.com

www.mycompany.com

Make sure mail.mycompany.com >>>point to 10.10.10.x

-KS

Hello Shibu,

I hope you are doing great, this is a very common issue. You can use one of the following options:

1-Create a U turning config, say that the static for your server is

    static (inside,outside) netmask 255.255.255.255

You can do another one as this

    static (inside,inside) netmask 255.255.255.255

    global (inside) 1 interface

    same-security-traffic permit intra-interface

2-Change the IP address on the DNS server, say for the domain name for your Webmail instead of resolving to the public, resolve to the private. That will remain locally.

Any of those options can work for you, if you have any questions regarding any of these options let us know, we will be more than glad to help you.

Mike

Mike

Dear both ,

Thanks again for your kind help.

I tried the suggested first option but still i am unable to access webmail from inside

static (INSIDE,outside) 94.*.*. CASServer2 netmask 255.255.255.255
static (INSIDE,INSIDE)  94.*.*.  CASServer2 netmask 255.255.255.255

global (inside) 1 interface

same-security-traffic permit intra-interface

Please help further to sort out this issue.

Thanks in advance

Hello Shibu,

Would you please paste the output of the following command?

packet-tracer input inside tcp 10.10.10.12 1025 443

Thanks!

Mike

Mike

Dear ,

Please find below the trace

ASA-5510-1# packet-tracer input INSIDE tcp 10.10.7.20 1025 94.X 443

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (INSIDE,INSIDE) 94.*.* CASServer2 netmask 255.255.255.255
  match ip INSIDE host CASServer2 INSIDE any
    static translation to 94.*.*
    translate_hits = 0, untranslate_hits = 365
Additional Information:
NAT divert to egress interface INSIDE
Untranslate 94.*.*/0 to CASServer2/0 using netmask 255.255.255.255

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype:
Result: DROP
Config:
nat (INSIDE) 1 0.0.0.0 0.0.0.0
  match ip INSIDE any INSIDE any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 161, untranslate_hits = 0
Additional Information:

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ASA-5510-1#

Latest trace

========

ASA-5510-1# packet-tracer input INSIDE tcp 10.10.7.20 1025 94.* 443

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (INSIDE,INSIDE) 94.* CASServer2 netmask 255.255.255.255
  match ip INSIDE host CASServer2 INSIDE any
    static translation to 94.*
    translate_hits = 0, untranslate_hits = 420
Additional Information:
NAT divert to egress interface INSIDE
Untranslate 94.*/0 to CASServer2/0 using netmask 255.255.255.255

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype:
Result: DROP
Config:
nat (INSIDE) 1 0.0.0.0 0.0.0.0
  match ip INSIDE any INSIDE any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 194, untranslate_hits = 0
Additional Information:

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ASA-5510-1#

Seems you are doing it well, for somehow the firewall is not seeing the global (INSIDE) 1 interface

nat (INSIDE) 1 0.0.0.0 0.0.0.0
  match ip INSIDE any INSIDE any
    dynamic translation to pool 1 (No matching global)

Would you please do a clear xlate and make sure that the global (INSIDE) 1 interface is in the configuration?

Mike

Mike

Shibu,

These U-Turn x-lates may cause issue later on and may become very hard to manage, troubleshoot and maintain. These are hacks that are used to get things working that are not configured as they should.

My suggestion would be to configure your inside DNS server properly so that it returns the private ip address for the name mail.company.com

-KS

Dear both,

thanks for your suggestions.

I tried both options and both are working fine for me. but as a security measure i have adopted internal DNS method.

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: