07-07-2006 08:40 AM - edited 02-21-2020 01:02 AM
We've got an ASA5510 that is blocking outbound mails for certain domains (for other domains there's no problem, there are no issues with any inbound mails as well). The mail server keeps logging this "The DNS server encountered an invalid domain name in a packet from x.x.96.17. The packet is rejected." and the mails for those domains are hold in the queues of the mail server, but aren't sent.
We changed the DNSs in the mail server but the problem continues and we know for sure that the problem is the ASA because we installed the old firewall back and all the mail kept in the queues were immediately sent.
The address x.x.110.210 es the IP Source of the outbound traffic from SRV_MAIL_ARRIOLA (which is the main mail server). I wonder if the command "global (OUTSIDE) 2 NAT_SRV_MAIL_ARRIOLA netmask 255.255.255.240 " is OK? or the netmask should be 255.255.255.255 ?
The smtp inbound traffic for x.x.110.210 goes to SRV_SCM, which is the antispam server, but again, there's no problem with inbound mails.
****************
interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address x.x.110.213 255.255.255.240
name 192.0.1.199 SRV_SCM
name 192.0.1.200 SRV_MAIL_ARRIOLA
name x.x.110.210 NAT_SRV_MAIL_ARRIOLA
global (OUTSIDE) 1 interface
global (OUTSIDE) 2 NAT_SRV_MAIL_ARRIOLA netmask 255.255.255.240
nat (INSIDE) 0 access-list INSIDE_nat0_outbound
nat (INSIDE) 2 SRV_MAIL_PARINACO 255.255.255.255
nat (INSIDE) 2 SRV_SCM 255.255.255.255
nat (INSIDE) 2 SRV_MAIL_ARRIOLA 255.255.255.255
nat (INSIDE) 1 192.0.0.0 255.255.255.0
nat (INSIDE) 1 192.0.1.0 255.255.255.0
nat (INSIDE) 1 192.0.2.0 255.255.255.0
static (INSIDE,OUTSIDE) tcp NAT_SRV_MAIL_ARRIOLA www SRV_MAIL_ARRIOLA www netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp NAT_SRV_MAIL_ARRIOLA https SRV_MAIL_ARRIOLA https netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp NAT_SRV_MAIL_ARRIOLA pop3 SRV_MAIL_ARRIOLA pop3 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp NAT_SRV_MAIL_ARRIOLA 3389 SRV_MAIL_ARRIOLA 3389 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp NAT_SRV_MAIL_ARRIOLA smtp SRV_SCM smtp netmask 255.255.255.255
object-group network SRVS_CON_SALIDA
network-object host SRV_MAIL_PARINACO
network-object host SRV_SCM
network-object host SRV_MAIL_ARRIOLA
access-list INSIDE_access_in extended permit tcp object-group SRVS_CON_SALIDA any object-group HTTP-HTTPS-DNS-FTP-SMTP-POP3 log debugging
access-list INSIDE_access_in extended permit udp object-group SRVS_CON_SALIDA any eq domain log debugging
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect dns dns_map_test
parameters
no dns-guard
no protocol-enforcement
no nat-rewrite
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect http
inspect esmtp
inspect dns preset_dns_map
service-policy global_policy global
****************
What we suspect is that some default behavior of the service-policy is blocking some DNS querys, or maybe the "inspect esmtp" command somehow is blocking.
The only remarkable logs that I captured are these, but are from a couple of days ago, and I haven't see them again.
3|Jul 04 2006|17:17:13|305006|DNS1||regular translation creation failed for icmp src INSIDE:SRV_MAIL_ARRIOLA dst OUTSIDE:DNS1 (type 3, code 3)
3|Jul 04 2006|17:17:13|305006|DNS1||regular translation creation failed for icmp src INSIDE:SRV_MAIL_ARRIOLA dst OUTSIDE:DNS1 (type 3, code 3)
I attached the config. Hope you can help us. Thanks in advance.
07-08-2006 02:29 AM
Hi .. you need to specify a mask of 255.255.255.255 for your global NAT ... instead .240
I hope it helps ... please rate if it does !!!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: