cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
313
Views
0
Helpful
1
Replies

DNS Issues with Exchange 2000 behind ASA

CarlosEduardo
Level 1
Level 1

We've got an ASA5510 that is blocking outbound mails for certain domains (for other domains there's no problem, there are no issues with any inbound mails as well). The mail server keeps logging this "The DNS server encountered an invalid domain name in a packet from x.x.96.17. The packet is rejected." and the mails for those domains are hold in the queues of the mail server, but aren't sent.

We changed the DNSs in the mail server but the problem continues and we know for sure that the problem is the ASA because we installed the old firewall back and all the mail kept in the queues were immediately sent.

The address x.x.110.210 es the IP Source of the outbound traffic from SRV_MAIL_ARRIOLA (which is the main mail server). I wonder if the command "global (OUTSIDE) 2 NAT_SRV_MAIL_ARRIOLA netmask 255.255.255.240 " is OK? or the netmask should be 255.255.255.255 ?

The smtp inbound traffic for x.x.110.210 goes to SRV_SCM, which is the antispam server, but again, there's no problem with inbound mails.

****************

interface Ethernet0/0

nameif OUTSIDE

security-level 0

ip address x.x.110.213 255.255.255.240

name 192.0.1.199 SRV_SCM

name 192.0.1.200 SRV_MAIL_ARRIOLA

name x.x.110.210 NAT_SRV_MAIL_ARRIOLA

global (OUTSIDE) 1 interface

global (OUTSIDE) 2 NAT_SRV_MAIL_ARRIOLA netmask 255.255.255.240

nat (INSIDE) 0 access-list INSIDE_nat0_outbound

nat (INSIDE) 2 SRV_MAIL_PARINACO 255.255.255.255

nat (INSIDE) 2 SRV_SCM 255.255.255.255

nat (INSIDE) 2 SRV_MAIL_ARRIOLA 255.255.255.255

nat (INSIDE) 1 192.0.0.0 255.255.255.0

nat (INSIDE) 1 192.0.1.0 255.255.255.0

nat (INSIDE) 1 192.0.2.0 255.255.255.0

static (INSIDE,OUTSIDE) tcp NAT_SRV_MAIL_ARRIOLA www SRV_MAIL_ARRIOLA www netmask 255.255.255.255

static (INSIDE,OUTSIDE) tcp NAT_SRV_MAIL_ARRIOLA https SRV_MAIL_ARRIOLA https netmask 255.255.255.255

static (INSIDE,OUTSIDE) tcp NAT_SRV_MAIL_ARRIOLA pop3 SRV_MAIL_ARRIOLA pop3 netmask 255.255.255.255

static (INSIDE,OUTSIDE) tcp NAT_SRV_MAIL_ARRIOLA 3389 SRV_MAIL_ARRIOLA 3389 netmask 255.255.255.255

static (INSIDE,OUTSIDE) tcp NAT_SRV_MAIL_ARRIOLA smtp SRV_SCM smtp netmask 255.255.255.255

object-group network SRVS_CON_SALIDA

network-object host SRV_MAIL_PARINACO

network-object host SRV_SCM

network-object host SRV_MAIL_ARRIOLA

access-list INSIDE_access_in extended permit tcp object-group SRVS_CON_SALIDA any object-group HTTP-HTTPS-DNS-FTP-SMTP-POP3 log debugging

access-list INSIDE_access_in extended permit udp object-group SRVS_CON_SALIDA any eq domain log debugging

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map type inspect dns dns_map_test

parameters

no dns-guard

no protocol-enforcement

no nat-rewrite

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

inspect http

inspect esmtp

inspect dns preset_dns_map

service-policy global_policy global

****************

What we suspect is that some default behavior of the service-policy is blocking some DNS querys, or maybe the "inspect esmtp" command somehow is blocking.

The only remarkable logs that I captured are these, but are from a couple of days ago, and I haven't see them again.

3|Jul 04 2006|17:17:13|305006|DNS1||regular translation creation failed for icmp src INSIDE:SRV_MAIL_ARRIOLA dst OUTSIDE:DNS1 (type 3, code 3)

3|Jul 04 2006|17:17:13|305006|DNS1||regular translation creation failed for icmp src INSIDE:SRV_MAIL_ARRIOLA dst OUTSIDE:DNS1 (type 3, code 3)

I attached the config. Hope you can help us. Thanks in advance.

1 Reply 1

Fernando_Meza
Level 7
Level 7

Hi .. you need to specify a mask of 255.255.255.255 for your global NAT ... instead .240

I hope it helps ... please rate if it does !!!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: