Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
338
Views
0
Helpful
1
Replies

Unable to access NAT address from inside

Go to solution
donnykoh79
Level 1
Level 1

‎01-25-2013 12:08 AM - edited ‎03-11-2019 05:52 PM

Hi,

     I have some mobile users who have their email client configured with the public IP address of the email server, but when they are in the office they are unable to reach the email server.

ASA is running on version 8.3.1

I have configured the following:

objectnetwork obj_10.0.0.1

host 10.0.0.1

nat (inside,outside)  static 123.123.123.123 

Also and ACL to permit the required ports for the servers.

Scenario

=======

- Inside user has no problem receiving their email using the private IP of the server

- Users outside can also login to the web service of the email server

- Users with NAT public IP configured on their laptop are unable to receive email in the inside network

Is there anything else that I need to configure as well. I have set the next hop on the client as the ASA.

Hope you guys can help. Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-25-2013 12:51 AM

Hi,

Does the server public IP address have a DNS name associated with it?

And if yes, do your LAN users use a public DNS server?

If the above thing are true, you can change the above Static NAT to include a "dns" parameter

objectnetwork obj_10.0.0.1

host 10.0.0.1

nat (inside,outside)  static 123.123.123.123 dns

So provided that the following are true

  • Public IP address of server has associated DNS name
  • ASA can see the users DNS querys (In other words LAN users use public DNS server)

Then after the above addition to the Static NAT configuration the ASA should modify the DNS replys automatically before they reach the LAN hosts. Therefore even if they connect using the DNS name, they would end up using the private IP address to connect because the ASA modifies the reply.

On the other hand if you use a LAN DNS server then this wont help you and will have to perhaps do changes on the local DNS server.

- Jouni

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-25-2013 12:51 AM

Hi,

Does the server public IP address have a DNS name associated with it?

And if yes, do your LAN users use a public DNS server?

If the above thing are true, you can change the above Static NAT to include a "dns" parameter

objectnetwork obj_10.0.0.1

host 10.0.0.1

nat (inside,outside)  static 123.123.123.123 dns

So provided that the following are true

  • Public IP address of server has associated DNS name
  • ASA can see the users DNS querys (In other words LAN users use public DNS server)

Then after the above addition to the Static NAT configuration the ASA should modify the DNS replys automatically before they reach the LAN hosts. Therefore even if they connect using the DNS name, they would end up using the private IP address to connect because the ASA modifies the reply.

On the other hand if you use a LAN DNS server then this wont help you and will have to perhaps do changes on the local DNS server.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card