Dear Kusankar,

Thanks for the reply.

Please find my answers.

When you ping mail.company name from the inside hosts what do you get? The inside IP of webmail or outside IP of webmail?

I get outside IP of webmail when i ping mail.company.net.

Where is your DNS server

In PCs we have local server as DNS server . in the DNS server we have given our ISP dns severs IP in forweded list.

Is this an internal DNS server?

In PCs we have local server as DNS server . in the DNS server we have given our ISP dns severs IP in forweded list.

Why doesn't it resolve to the inside IP of webmail?

On the browser issue http://inside_ip_address/exchange and see if it loads (I am assuming it is exchange).

If it does then pls. change the inside DNS server to hand out the inside IP address when computers want to resolve mail.company

How to do this DNS handout ?

Please find below some partial configuration of my ASA.

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address *.186 255.255.255.252

!

interface Ethernet0/1

nameif BACKUP

security-level 0

ip address *.202 255.255.255.248

!

interface Ethernet0/2

nameif INSIDE

security-level 100

ip address 10.10.10.10 255.255.255.0

access-list outside_access_in extended permit tcp any host 94.200.* eq https

global (outside) 1 interface

global (outside) 3 94.*

global (BROADCAST) 2 10.20.2.11-10.20.2.15 netmask 255.255.255.0

nat (INSIDE) 0 access-list INSIDE_nat0_outbound

nat (INSIDE) 2 access-list INSIDE_BROADCAST

nat (INSIDE) 3 access-list ROUTE_ADSL

nat (INSIDE) 1 0.0.0.0 0.0.0.0

static (INSIDE,outside) 94.* CASServer2 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 94.* 1 track 1

route BACKUP 0.0.0.0 0.0.0.0 94.* 254

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ftp

inspect esmtp

class class-default

flow-export event-type all destination 10.10.2.16 10.10.2.26

policy-map my-ips-policy

class my-ips-class

ips inline fail-open

Thanks

Who manages your inside DNS server? Is this Microsoft DNS server?  It needs to be done there.

Create a zone file for your domain and add "A" records for all the sites that you host. Like

ftp.mycompany.com

mail.mycompany.com

www.mycompany.com

Make sure mail.mycompany.com >>>point to 10.10.10.x

-KS

Hello Shibu,

I hope you are doing great, this is a very common issue. You can use one of the following options:

1-Create a U turning config, say that the static for your server is

    static (inside,outside) netmask 255.255.255.255

You can do another one as this

    static (inside,inside) netmask 255.255.255.255

    global (inside) 1 interface

    same-security-traffic permit intra-interface

2-Change the IP address on the DNS server, say for the domain name for your Webmail instead of resolving to the public, resolve to the private. That will remain locally.

Any of those options can work for you, if you have any questions regarding any of these options let us know, we will be more than glad to help you.

Mike

Dear both ,

Thanks again for your kind help.

I tried the suggested first option but still i am unable to access webmail from inside

static (INSIDE,outside) 94.*.*. CASServer2 netmask 255.255.255.255
static (INSIDE,INSIDE)  94.*.*.  CASServer2 netmask 255.255.255.255

global (inside) 1 interface

same-security-traffic permit intra-interface

Please help further to sort out this issue.

Thanks in advance

Hello Shibu,

Would you please paste the output of the following command?

packet-tracer input inside tcp 10.10.10.12 1025 443

Thanks!

Mike

Dear ,

Please find below the trace

ASA-5510-1# packet-tracer input INSIDE tcp 10.10.7.20 1025 94.X 443

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (INSIDE,INSIDE) 94.*.* CASServer2 netmask 255.255.255.255
  match ip INSIDE host CASServer2 INSIDE any
    static translation to 94.*.*
    translate_hits = 0, untranslate_hits = 365
Additional Information:
NAT divert to egress interface INSIDE
Untranslate 94.*.*/0 to CASServer2/0 using netmask 255.255.255.255

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype:
Result: DROP
Config:
nat (INSIDE) 1 0.0.0.0 0.0.0.0
  match ip INSIDE any INSIDE any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 161, untranslate_hits = 0
Additional Information:

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ASA-5510-1#

Latest trace

========

ASA-5510-1# packet-tracer input INSIDE tcp 10.10.7.20 1025 94.* 443

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (INSIDE,INSIDE) 94.* CASServer2 netmask 255.255.255.255
  match ip INSIDE host CASServer2 INSIDE any
    static translation to 94.*
    translate_hits = 0, untranslate_hits = 420
Additional Information:
NAT divert to egress interface INSIDE
Untranslate 94.*/0 to CASServer2/0 using netmask 255.255.255.255

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype:
Result: DROP
Config:
nat (INSIDE) 1 0.0.0.0 0.0.0.0
  match ip INSIDE any INSIDE any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 194, untranslate_hits = 0
Additional Information:

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ASA-5510-1#

Seems you are doing it well, for somehow the firewall is not seeing the global (INSIDE) 1 interface

nat (INSIDE) 1 0.0.0.0 0.0.0.0
  match ip INSIDE any INSIDE any
    dynamic translation to pool 1 (No matching global)

Would you please do a clear xlate and make sure that the global (INSIDE) 1 interface is in the configuration?

Mike

Dear both,

thanks for your suggestions.

I tried both options and both are working fine for me. but as a security measure i have adopted internal DNS method.

Thanks