[c-nsp] Cisco ASA PAT issues with dynamic translations, any ideas?

Wed Aug 12 03:32:45 EDT 2009

Hi Howard,

What about doing something like:

  static (LAN,Internet) MAIL1-Outside MAIL1-Inside netmask 255.255.255.255

Then using the ACL on the outside interface to control the access.  With that, you wouldn't need an individual mapping for each port - only to open it in the ACL.

Regards,

Chris

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Howard Leadmon
Sent: Wednesday, 12 August 2009 4:47 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Cisco ASA PAT issues with dynamic translations, any ideas?

 OK, I am sure this is just something I haven't run into before, but I just
setup an ASA5520, and overall it's doing well, except this one gotcha.

We are using it in routed/NAT mode, but some internal servers need to be on
their own external IP's as well, we have multiple DNS, Mail, and so on
servers in the network.   I have the external IP's on the firewall, mapped
to the specific internal servers, and all is well.   Also my TCP mappings
all seem to be fine, but when I try and put in a translation for UDP on port
53 it has a cow.

ERROR: unable to reserve port 53 for static PAT

ERROR: unable to download policy

So needless to say the outside DNS queries to that server are NOT working..
L

Here is some of my config, hopefully I don't need to post it all as it's
quite extensive (with multiple VPN's and so on), so I will try and post what
I think are the relevant parts.

name 10.98.4.33 MAIL1-Inside

name 207.xx.xx.33 MAIL1-Outside

object-group protocol TCPUDP

 protocol-object udp

 protocol-object tcp

access-list Internet_access_in remark DNS Server on MAIL1

access-list Internet_access_in extended permit object-group TCPUDP any host
MAIL1-Outside eq domain

nat-control

global (Internet) 101 interface

global (Internet) 102 MAIL1-Outside netmask 255.0.0.0

nat (LAN) 0 access-list LAN_nat0_outbound

nat (LAN) 102 MAIL1-Inside 255.255.255.255

nat (LAN) 101 0.0.0.0 0.0.0.0

static (LAN,Internet) tcp MAIL1-Outside domain MAIL1-Inside domain netmask
255.255.255.255

static (LAN,Internet) tcp MAIL1-Outside smtp MAIL1-Inside smtp netmask
255.255.255.255

NOTE: The TCP static translations above works just fine, but if I try and
put in a UDP translation as well like this:

static (LAN,Internet) udp MAIL1-Outside domain MAIL1-Inside domain netmask
255.255.255.255

The ASA throws a bitch and kicks out  "ERROR: unable to reserve port 53 for
static PAT"  error.  Of course without UDP on port 53 working, DNS lookups
from that machine to the outside world are dead.

What am I missing here??   I know if I didn't have it on it's own specific
external IP, then I could put in the UDP rule (as I have some in for servers
that don't need there own), but if I pull that, then I don't have the server
on it's own IP, and then mail/SMTP service becomes an issue as some sites
reject unreachable mail servers.

So I guess the million dollar question is, how can I have the MAIL1 server
on it's own specific outside IP address, and also have it responding to UDP
DNS queries.

I am sure I am missing something silly here, and this is running "Cisco
Adaptive Security Appliance Software Version 8.2(1)" software, so is
current.   Any input on how to resolve this would be most appreciated..

---

Howard Leadmon - howard at leadmon.net

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you receive this email by mistake, please notify the author and do not make any use of the email. We do not waive any privilege, confidentiality or copyright associated with it.

Please consider the environment before printing this e-mail.