Solved via following set of

cristianpop · ‎09-03-2014

Hello everyone,

I'm struggling with the following issue for days and would very much appreciate your help:

I have a ASA5505 that does NAT for inside hosts for internet access and also forwards some ports from the external interface to an inside host server (tcp 25, 80, 143, etc). I need my inside hosts to be able to access the inside server via its external DNS name (mail.example.com), so we can have a single configuration in our e-mail clients (smtp server: mail.company.com) that would work both from the Outside (Internet) and the internal LAN.

The ASA however discards the packets, packet-tracer shows the following:

---------------------------------------------------------------------------------------------------------------------------------

Note: 82.79.xx.xx is the ASA's external IP address where there is some port forwarding (NAT) done to an internal server (port 143, 25, others)

# packet-tracer input Company_LAN tcp 192.168.9.15 11000 82.79.xx.xx 143 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb343210, priority=1, domain=permit, deny=false
hits=145773, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Company_LAN, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 82.79.xx.xx 255.255.255.255 identity

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb343890, priority=0, domain=permit, deny=true
hits=1175, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Company_LAN, output_ifc=any

Result:
input-interface: Company_LAN
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

---------------------------------------------------------------------------------------------------------------------------------

I'm pretty sure this is some default ASA behavior or default ACL which i'm not aware of..

Any advice is greatly appreciated !

Karsten Iwen · ‎09-03-2014

This feature is not available on the ASA. But there are two "native" ways to solve that problem:

Configure mail.company.com on your internal DNS with the internal IP.
Use DNS-doctoring. For that you add the keyword "dns" to the NAT-statement for your internal server. But that works only with 1:1 NAT and not with port-forwarding.

cristianpop · ‎09-03-2014

Thank you for your advice.

There is no internal DNS Server at the moment, clients are configured to access DNS servers provided by the ISP. I have found some documentation on "NAT Hairpinning", is this a solution applicable to ASA software version 8.4(2)? If so, can you please provide one example command?

Edit: perhaps a static nat to redirect any requests from inside hosts for the ASA's external IP 82.79.xx.xx to internal 192.168.9.2 server?

Thank you,

cristianpop · ‎09-03-2014

Solved via following set of commands:

!--- Enable Hairpinning
same-security-traffic permit intra-interface

object network Company_Network
subnet 192.168.9.0 255.255.255.0

object network mail.company.com
host 82.79.xx.xx

object network Company_Server
host 192.168.9.2

nat (Company_LAN,Company_LAN) source dynamic Company_Network interface destination static mail.company.com Company_Server

ASA5505 - Inside hosts accessing ASA's external interface.