01-26-2011 11:18 AM - edited 03-11-2019 12:40 PM
Hi,
I have a question, my mail server is configured in the DMZ, all inside users can access the email from inside using the ip address
(192.180.1.20), but if the same user tries to access the mail server from inside using the FQDN Https://zimbra.mydomain.com they can't access
the server. ( this happens with any user in the inside network)
However if i trie to access Https://zimbra.mydomain.com from outside I dont have any problem
zimbra.mydomain.com resolves to (209.160.170.220), this ip address was provided by my isp.
when i trie to access from inside to Https://zimbra.mydomain.com i get the following log errors:
6 Jan 26 2011 17:03:35 305012 192.168.1.84 209.160.170.220 Teardown dynamic UDP translation from inside:192.168.1.84/49387 to outside:209.160.170.220/3764 duration 0:02:30
6 Jan 26 2011 17:03:35 302014 192.168.1.84 209.160.170.220 Teardown TCP connection 321752 for inside:192.168.1.84/50850 to NP Identity Ifc:209.160.170.220/443 duration 0:00:00 bytes 174 TCP Reset-I
6 Jan 26 2011 17:03:35 302014 192.168.1.84 209.160.170.220 Teardown TCP connection 321751 for inside:192.168.1.84/50850 to NP Identity Ifc:209.160.170.220/443 duration 0:00:00 bytes 0 TCP Reset-I
6 Jan 26 2011 17:03:35 302013 192.168.1.84 209.160.170.220 Built inbound TCP connection 321751 for inside:192.168.1.84/50850 (192.168.1.84/50850) to NP Identity Ifc:209.160.170.220/443 (209.160.170.220/443)
6 Jan 26 2011 17:03:35 302014 192.168.1.84 209.160.170.220 Teardown TCP connection 321750 for inside:192.168.1.84/50848 to NP Identity Ifc:209.160.170.220/443 duration 0:00:00 bytes 350 TCP Reset-I
6 Jan 26 2011 17:03:35 302013 192.168.1.84 209.160.170.220 Built inbound TCP connection 321750 for inside:192.168.1.84/50848 (192.168.1.84/50848) to NP Identity Ifc:209.160.170.220/443 (209.160.170.220/443)
Solved! Go to Solution.
01-27-2011 11:07 AM
Thanks for starting a new thread.
DNS doctoring does not support static pat.
You need static (dmz,inside) 209.160.170.220 192.180.1.20
which is called as destination nat configured.
-KS
01-26-2011 11:25 AM
You need enable dns doctoring so that FW can change the public IP to private IP in DNS response.
01-27-2011 10:27 AM
hi Yudong Wu, i applied the solution described in the cisco Document ID: 72273, "PIX/ASA: Perform DNS Doctoring with the static
Command and Three NAT Interfaces Configuration Example", i check the option Translate the dns replies that matct the translation rule .
and i still can't access to the my mails server using the server name, just one note i am using PAT port address translation in the outside.
01-27-2011 11:07 AM
Thanks for starting a new thread.
DNS doctoring does not support static pat.
You need static (dmz,inside) 209.160.170.220 192.180.1.20
which is called as destination nat configured.
-KS
01-28-2011 06:28 AM
thank you very much, the problem is solve i now have my mail server
up and running.
01-28-2011 06:49 AM
Glad to hear that the D-NAT is working as expected.
Thanks for marking the thread solved. Pls. make sure to rate the solution as well.
You may have forgotten to do that on the previous thread as well.
https://supportforums.cisco.com/message/3277834#3277834
-KS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide