09-03-2014 02:55 AM - edited 02-21-2020 05:16 AM
Hello everyone,
I'm struggling with the following issue for days and would very much appreciate your help:
I have a ASA5505 that does NAT for inside hosts for internet access and also forwards some ports from the external interface to an inside host server (tcp 25, 80, 143, etc). I need my inside hosts to be able to access the inside server via its external DNS name (mail.example.com), so we can have a single configuration in our e-mail clients (smtp server: mail.company.com) that would work both from the Outside (Internet) and the internal LAN.
The ASA however discards the packets, packet-tracer shows the following:
---------------------------------------------------------------------------------------------------------------------------------
Note: 82.79.xx.xx is the ASA's external IP address where there is some port forwarding (NAT) done to an internal server (port 143, 25, others)
# packet-tracer input Company_LAN tcp 192.168.9.15 11000 82.79.xx.xx 143 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb343210, priority=1, domain=permit, deny=false
hits=145773, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Company_LAN, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 82.79.xx.xx 255.255.255.255 identity
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb343890, priority=0, domain=permit, deny=true
hits=1175, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Company_LAN, output_ifc=any
Result:
input-interface: Company_LAN
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
---------------------------------------------------------------------------------------------------------------------------------
I'm pretty sure this is some default ASA behavior or default ACL which i'm not aware of..
Any advice is greatly appreciated !
09-03-2014 03:13 AM
This feature is not available on the ASA. But there are two "native" ways to solve that problem:
09-03-2014 04:17 AM
Thank you for your advice.
There is no internal DNS Server at the moment, clients are configured to access DNS servers provided by the ISP. I have found some documentation on "NAT Hairpinning", is this a solution applicable to ASA software version 8.4(2)? If so, can you please provide one example command?
Edit: perhaps a static nat to redirect any requests from inside hosts for the ASA's external IP 82.79.xx.xx to internal 192.168.9.2 server?
Thank you,
09-03-2014 05:03 AM
Solved via following set of commands:
!--- Enable Hairpinning
same-security-traffic permit intra-interface
object network Company_Network
subnet 192.168.9.0 255.255.255.0
object network mail.company.com
host 82.79.xx.xx
object network Company_Server
host 192.168.9.2
nat (Company_LAN,Company_LAN) source dynamic Company_Network interface destination static mail.company.com Company_Server
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide