[c-nsp] Cisco ASA PAT issues with dynamic translations, any ideas?

Howard Leadmon howard at leadmon.net
Wed Aug 12 02:47:16 EDT 2009 

 

 OK, I am sure this is just something I haven't run into before, but I just
setup an ASA5520, and overall it's doing well, except this one gotcha.

 

We are using it in routed/NAT mode, but some internal servers need to be on
their own external IP's as well, we have multiple DNS, Mail, and so on
servers in the network.   I have the external IP's on the firewall, mapped
to the specific internal servers, and all is well.   Also my TCP mappings
all seem to be fine, but when I try and put in a translation for UDP on port
53 it has a cow.

 

ERROR: unable to reserve port 53 for static PAT

ERROR: unable to download policy

 

So needless to say the outside DNS queries to that server are NOT working..
L

 

Here is some of my config, hopefully I don't need to post it all as it's
quite extensive (with multiple VPN's and so on), so I will try and post what
I think are the relevant parts.

 

name 10.98.4.33 MAIL1-Inside

name 207.xx.xx.33 MAIL1-Outside

 

object-group protocol TCPUDP

 protocol-object udp

 protocol-object tcp

 

access-list Internet_access_in remark DNS Server on MAIL1

access-list Internet_access_in extended permit object-group TCPUDP any host
MAIL1-Outside eq domain 

 

nat-control

global (Internet) 101 interface

global (Internet) 102 MAIL1-Outside netmask 255.0.0.0

nat (LAN) 0 access-list LAN_nat0_outbound

nat (LAN) 102 MAIL1-Inside 255.255.255.255

nat (LAN) 101 0.0.0.0 0.0.0.0

 

static (LAN,Internet) tcp MAIL1-Outside domain MAIL1-Inside domain netmask
255.255.255.255 

static (LAN,Internet) tcp MAIL1-Outside smtp MAIL1-Inside smtp netmask
255.255.255.255

 

 

NOTE: The TCP static translations above works just fine, but if I try and
put in a UDP translation as well like this:

 

static (LAN,Internet) udp MAIL1-Outside domain MAIL1-Inside domain netmask
255.255.255.255

 

The ASA throws a bitch and kicks out  "ERROR: unable to reserve port 53 for
static PAT"  error.  Of course without UDP on port 53 working, DNS lookups
from that machine to the outside world are dead.

 

What am I missing here??   I know if I didn't have it on it's own specific
external IP, then I could put in the UDP rule (as I have some in for servers
that don't need there own), but if I pull that, then I don't have the server
on it's own IP, and then mail/SMTP service becomes an issue as some sites
reject unreachable mail servers.

 

So I guess the million dollar question is, how can I have the MAIL1 server
on it's own specific outside IP address, and also have it responding to UDP
DNS queries.

 

I am sure I am missing something silly here, and this is running "Cisco
Adaptive Security Appliance Software Version 8.2(1)" software, so is
current.   Any input on how to resolve this would be most appreciated..

 

 

---

Howard Leadmon - howard at leadmon.net

More information about the cisco-nsp mailing list