11-15-2011 10:12 AM - edited 03-07-2019 03:24 AM
Hello all,
Before anything thank you for read my question.
ASA Scenario:
Outside interface: 1.1.1.1
Inside interface: 192.168.1.1
I have an email server with internal address: 192.168.1.5
internal domain: domain.internal
Internal DNS record A: email.domain.internal -> 192.168.1.5
External DNS is hostig outside company.
External DNS record: email.domain.com -> 1.1.1.5
ASA Static (inside,outside) 1.1.1.5 -> 192.168.1.5
Question:
I have some users that uses theirs laptops outside the company, and this users has theirs email client with the settings point to the external address.
External Email Client:
Email Server Settings: email.domain.com (1.1.1.5)
When they are inside the company theirs email client does not work because all the users inside the company uses the settings:
Internal Email Client:
Email Server Settings: email.domain.internal (192.168.1.5)
So I think that when the exteranl users are inside the company, theirs laptops that get an Internal IP address (192.168.1.X) and theirs email client try to connect to email.domain.com (1.1.1.5). The switch receives the packets and send to the gateway (192.168.1.1), it sends to the external address (1.1.1.1) and it send back to the internal address (1.1.1.5 -> 192.168.1.5), And the outside Interface can not access to the Inside Interface.
That is right ?????
What can I do to fix this problem ??
If I try to access to the email web client inside the company through the external address: https://email.domain.com/ I can not connect, but I can access with the internal address (email.domain.internal).
I want that the External users comes in to the company (LAN 192.168.1.X) they do not have to change theirs email client configuration to the internal address and can get access to the email server through the external address (1.1.1.5) from inside network. It is possible do that ??
Thank you so much for all your help.
Solved! Go to Solution.
11-15-2011 10:18 AM
Hi,
just add the dns keyword at the end of your static NAT entry.
Regards.
Alain
11-15-2011 10:18 AM
Hi,
just add the dns keyword at the end of your static NAT entry.
Regards.
Alain
11-15-2011 11:18 AM
Hello Cadet Alain I did that (add dns keyword at the end of my static rule)
static (Inside, outside) 1.1.1.5 192.168.1.5 netmask 255.255.255.255 dns
But still not working. I try to access to the external address from inside network (https://email.domain.com) and I get the same issue.
Do you have any idea ??
Thank you so much
11-15-2011 01:45 PM
Hi,
use only the external DNS entry and it should work.
Regards.
Alain
11-15-2011 01:52 PM
Sorry for my reply but I apologize IT IS WORK, thank you again Cadet Alain.
I dont know why the first time that I try it didn't work, then I made a research on google about de dns keywork and I found a tutorial from cisco.com that talk about it, the same thing that you told me.
But it has another way too, with the same-security-traffic permit intra-interface command, I try with this and it works, then a disable this comannd and try again with the DNS keyword again and this time, it works with the DNS keywork.
So I dont know why but thank you so much for all your help.
I want to post the link for any people that has the same issue in the future and wants to know more about this. Cisco call this concept. dns doctoring.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml
Thank you again cadet alain for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide