Solved: ASA 5510 Route Question

goransh_pc · ‎11-15-2011

Hello all,

Before anything thank you for read my question.

ASA Scenario:

Outside interface: 1.1.1.1

Inside interface: 192.168.1.1

I have an email server with internal address: 192.168.1.5

internal domain: domain.internal

Internal DNS record A: email.domain.internal -> 192.168.1.5

External DNS is hostig outside company.

External DNS record: email.domain.com -> 1.1.1.5

ASA Static (inside,outside) 1.1.1.5 -> 192.168.1.5

Question:

I have some users that uses theirs laptops outside the company, and this users has theirs email client with the settings point to the external address.

External Email Client:

Email Server Settings: email.domain.com (1.1.1.5)

When they are inside the company theirs email client does not work because all the users inside the company uses the settings:

Internal Email Client:

Email Server Settings: email.domain.internal (192.168.1.5)

So I think that when the exteranl users are inside the company, theirs laptops that get an Internal IP address (192.168.1.X) and theirs email client try to connect to email.domain.com (1.1.1.5). The switch receives the packets and send to the gateway (192.168.1.1), it sends to the external address (1.1.1.1) and it send back to the internal address (1.1.1.5 -> 192.168.1.5), And the outside Interface can not access to the Inside Interface.

That is right ?????

What can I do to fix this problem ??

If I try to access to the email web client inside the company through the external address: https://email.domain.com/ I can not connect, but I can access with the internal address (email.domain.internal).

I want that the External users comes in to the company (LAN 192.168.1.X) they do not have to change theirs email client configuration to the internal address and can get access to the email server through the external address (1.1.1.5) from inside network. It is possible do that ??

Thank you so much for all your help.

cadet alain · ‎11-15-2011

Hi,

just add the dns keyword at the end of your static NAT entry.

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎11-15-2011

Hi,

just add the dns keyword at the end of your static NAT entry.

Regards.

Alain

Don't forget to rate helpful posts.

goransh_pc · ‎11-15-2011

Hello Cadet Alain I did that (add dns keyword at the end of my static rule)

static (Inside, outside) 1.1.1.5 192.168.1.5 netmask 255.255.255.255 dns

But still not working. I try to access to the external address from inside network (https://email.domain.com) and I get the same issue.

Do you have any idea ??

Thank you so much

cadet alain · ‎11-15-2011

Hi,

use only the external DNS entry and it should work.

Regards.

Alain

Don't forget to rate helpful posts.

goransh_pc · ‎11-15-2011

Sorry for my reply but I apologize IT IS WORK, thank you again Cadet Alain.

I dont know why the first time that I try it didn't work, then I made a research on google about de dns keywork and I found a tutorial from cisco.com that talk about it, the same thing that you told me.

But it has another way too, with the same-security-traffic permit intra-interface command, I try with this and it works, then a disable this comannd and try again with the DNS keyword again and this time, it works with the DNS keywork.

So I dont know why but thank you so much for all your help.

I want to post the link for any people that has the same issue in the future and wants to know more about this. Cisco call this concept. dns doctoring.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

Thank you again cadet alain for your help.