03-07-2011 12:22 PM - edited 03-04-2019 11:40 AM
I am currently trying to resolve a routing issue with my Cisco ASA 5505. I need to be able to give the inside interface access to the outside interface, so that port forwarding rules work the same on the inside as the do on the outside. Our mail server is port forwarded from the outside interface of the ASA, so that inbound email flows correctly. However, if someone is on the inside interface, and attempting to connect to the outside interface, they get blocked. How do I set this up? The actual issue is related to an iphone. The iphone is configured to connect to our mail server thru the domain name that resolves to the outside interface of the ASA. However, when the iphone user is switched over to use the local wifi service (residing on the inside ASA interface), he cannot connect to email. Any suggestions? Hope this was not too confusing.
03-07-2011 12:37 PM
Have you tried a DNS host A record to your Exchange server internally?
Lets say your internal email domain is motor.local and the domain name you set up for your email on the outside is email.motor.com.
email.motor.com = 67.40.50.100
internal email server = 192.168.1.100
Create a forward lookup zone in DNS called motor.com
create a DNS host A record in motor.com
Host A -> email.motor.com = 192.168.1.100
When the iphone is on the internet connection it will resolve the IP to the outside interface of your ASA and when it's on your wireless network it will resolve to your internal mail server.
03-07-2011 01:50 PM
Unfortunately, I can't do this. The external name is not the same as the domain that internal DNS handles. For example, the outside DNS is mail.server.com, whereas the inside domain is mail.server123.local.
03-07-2011 02:09 PM
Maybe I didn't explain that well. This is exactly when you would use it.
"mail.server.com, whereas the inside domain is mail.server123.local.mail "
So forward lookup zone in DNS called server.com
Host A record in that forward lookup zone - "email server internal ip address" -> "mail.server.com"
now if you do an nslookup on mail.server.com inside your network you get the internal ip of your mail server. If you do it from the Internet you get the outside ip address.
03-07-2011 12:38 PM
Hi,
You must use dns doctoring: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml
Regards.
Alain.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide