cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

940
Views
5
Helpful
5
Replies

Mail Server DMZ can't access using FQDN

Hi,

I have a question, my mail server is configured in the DMZ, all inside users can access the email from inside  using the ip address
(192.180.1.20), but if the same user tries to access the mail server from inside using the FQDN  Https://zimbra.mydomain.com they can't access
the server. ( this happens with any user in the inside network)
However if i trie to access Https://zimbra.mydomain.com from outside I dont have any problem

zimbra.mydomain.com resolves to  (209.160.170.220), this ip address was provided by my isp.

when i trie to access from inside to Https://zimbra.mydomain.com i get the following log errors:

6    Jan 26 2011    17:03:35    305012    192.168.1.84    209.160.170.220     Teardown dynamic UDP translation from inside:192.168.1.84/49387 to outside:209.160.170.220/3764 duration 0:02:30
6    Jan 26 2011    17:03:35    302014    192.168.1.84    209.160.170.220     Teardown TCP connection 321752 for inside:192.168.1.84/50850 to NP Identity Ifc:209.160.170.220/443 duration 0:00:00 bytes 174 TCP Reset-I
6    Jan 26 2011    17:03:35    302014    192.168.1.84    209.160.170.220     Teardown TCP connection 321751 for inside:192.168.1.84/50850 to NP Identity Ifc:209.160.170.220/443 duration 0:00:00 bytes 0 TCP Reset-I
6    Jan 26 2011    17:03:35    302013    192.168.1.84    209.160.170.220     Built inbound TCP connection 321751 for inside:192.168.1.84/50850 (192.168.1.84/50850) to NP Identity Ifc:209.160.170.220/443 (209.160.170.220/443)
6    Jan 26 2011    17:03:35    302014    192.168.1.84    209.160.170.220     Teardown TCP connection 321750 for inside:192.168.1.84/50848 to NP Identity Ifc:209.160.170.220/443 duration 0:00:00 bytes 350 TCP Reset-I
6    Jan 26 2011    17:03:35    302013    192.168.1.84    209.160.170.220     Built inbound TCP connection 321750 for inside:192.168.1.84/50848 (192.168.1.84/50848) to NP Identity Ifc:209.160.170.220/443 (209.160.170.220/443)

1 ACCEPTED SOLUTION

Accepted Solutions

Thanks for starting a new thread.

DNS doctoring does not support static pat.

You need static (dmz,inside) 209.160.170.220 192.180.1.20

which is called as destination nat configured.

-KS

View solution in original post

5 REPLIES 5
Yudong Wu
Rising star

You need enable dns doctoring so that FW can change the public IP to private IP in DNS response.

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a00807968c8.shtml

hi  Yudong Wu, i applied the solution described in the cisco   Document ID: 72273, "PIX/ASA: Perform DNS Doctoring with the static
Command and Three NAT Interfaces Configuration Example", i check the option Translate the dns replies that matct the translation rule .

and i still can't access to the  my mails server using the server name, just one note i am using PAT port address translation in the outside.

Thanks for starting a new thread.

DNS doctoring does not support static pat.

You need static (dmz,inside) 209.160.170.220 192.180.1.20

which is called as destination nat configured.

-KS

View solution in original post

thank you very much, the problem is solve i now have my mail server 

up and running.

Glad to hear that the D-NAT is working as expected.

Thanks for marking the thread solved.  Pls. make sure to rate the solution as well.

You may have forgotten to do that on the previous thread as well.

https://supportforums.cisco.com/message/3277834#3277834

-KS
Create
Recognize Your Peers
Content for Community-Ad