[c-nsp] Cisco ASA PAT issues with dynamic translations, any ideas?
Chris Jones
CJones at enterprisedata.com.au
Wed Aug 12 03:32:45 EDT 2009
Hi Howard,
What about doing something like:
static (LAN,Internet) MAIL1-Outside MAIL1-Inside netmask 255.255.255.255
Then using the ACL on the outside interface to control the access. With that, you wouldn't need an individual mapping for each port - only to open it in the ACL.
Regards,
Chris
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Howard Leadmon
Sent: Wednesday, 12 August 2009 4:47 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Cisco ASA PAT issues with dynamic translations, any ideas?
OK, I am sure this is just something I haven't run into before, but I just
setup an ASA5520, and overall it's doing well, except this one gotcha.
We are using it in routed/NAT mode, but some internal servers need to be on
their own external IP's as well, we have multiple DNS, Mail, and so on
servers in the network. I have the external IP's on the firewall, mapped
to the specific internal servers, and all is well. Also my TCP mappings
all seem to be fine, but when I try and put in a translation for UDP on port
53 it has a cow.
ERROR: unable to reserve port 53 for static PAT
ERROR: unable to download policy
So needless to say the outside DNS queries to that server are NOT working..
L
Here is some of my config, hopefully I don't need to post it all as it's
quite extensive (with multiple VPN's and so on), so I will try and post what
I think are the relevant parts.
name 10.98.4.33 MAIL1-Inside
name 207.xx.xx.33 MAIL1-Outside
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list Internet_access_in remark DNS Server on MAIL1
access-list Internet_access_in extended permit object-group TCPUDP any host
MAIL1-Outside eq domain
nat-control
global (Internet) 101 interface
global (Internet) 102 MAIL1-Outside netmask 255.0.0.0
nat (LAN) 0 access-list LAN_nat0_outbound
nat (LAN) 102 MAIL1-Inside 255.255.255.255
nat (LAN) 101 0.0.0.0 0.0.0.0
static (LAN,Internet) tcp MAIL1-Outside domain MAIL1-Inside domain netmask
255.255.255.255
static (LAN,Internet) tcp MAIL1-Outside smtp MAIL1-Inside smtp netmask
255.255.255.255
NOTE: The TCP static translations above works just fine, but if I try and
put in a UDP translation as well like this:
static (LAN,Internet) udp MAIL1-Outside domain MAIL1-Inside domain netmask
255.255.255.255
The ASA throws a bitch and kicks out "ERROR: unable to reserve port 53 for
static PAT" error. Of course without UDP on port 53 working, DNS lookups
from that machine to the outside world are dead.
What am I missing here?? I know if I didn't have it on it's own specific
external IP, then I could put in the UDP rule (as I have some in for servers
that don't need there own), but if I pull that, then I don't have the server
on it's own IP, and then mail/SMTP service becomes an issue as some sites
reject unreachable mail servers.
So I guess the million dollar question is, how can I have the MAIL1 server
on it's own specific outside IP address, and also have it responding to UDP
DNS queries.
I am sure I am missing something silly here, and this is running "Cisco
Adaptive Security Appliance Software Version 8.2(1)" software, so is
current. Any input on how to resolve this would be most appreciated..
---
Howard Leadmon - howard at leadmon.net
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you receive this email by mistake, please notify the author and do not make any use of the email. We do not waive any privilege, confidentiality or copyright associated with it.
Please consider the environment before printing this e-mail.
More information about the cisco-nsp
mailing list