topic Is your DNS resolving the in Network Security

How to NAT configuration on ASA 5520 8.4(2)

pokemon284 — Tue, 12 Mar 2019 06:43:50 GMT

I got some issues with NAT configuration. I have a host server with 2 service: WWW and DNS. I want to access Server via IP address and domain from outside. How to configuration ASA and router???

Thank's!!!

P/s: my english is not good !!! 😄

Hi,From diagram it looks like

Rishabh Seth — Mon, 12 Oct 2015 05:12:37 GMT

Hi,

From diagram it looks like you are trying to access 192.168.4.11 from 192.168.0.100.

You need following :

Router:

1:Route for 192.168.4.11.

2: ACL to permit www and DNS traffic.

ASA:

1:Verify the security level or ingress and egress interface. Command: show nameif.

2: Check if traffic is initiated from higher security level or lower.

3: Traffic from higher security to lower will be allowed by default (if there is no explicit ACL applied on that interface.)

4:If traffic is initiated from lower security level then create an ACL to permit www and dos traffic for particular destination and source. In case the traffic is initiated from higher security level and you hav have an existing ACL then add an entry to permit www and DNS traffic.

5. Create route on ASA for 192.168.0.100 for return traffic.

Hope it helps!!!!

Thanks,

R.Seth

Mark answer as correct if it helps in resolving your query!!!

I config Nat for Web Server

pokemon284 — Mon, 12 Oct 2015 06:59:41 GMT

I mean: configuration NAT for 2 services on the same host (192.168.4.11:80 and 192.168.4.11:53). I configed Nat for Web Server with port 80 but i can't config Nat for DNS Server. Can u show me command line???

help me, please!!! :(

pokemon284 — Tue, 13 Oct 2015 08:15:32 GMT

help me, please!!! 😞

What is the issue that you

Rishabh Seth — Tue, 13 Oct 2015 09:14:31 GMT

What is the issue that you are facing?

Are you trying to configure object nat?

If yes then ensure you have one NAT rule per object.

Create two objects for www and dns nat rules.

eg:

Object network www

host 10.1.1.1

nat (inside,outside) static <ip/interface> service tcp 80 80

Object network DNS

host 10.1.1.1

nat (inside,outside) static <ip/interface> service udp 53 53

Also configure appropriate ACL to permit traffic for www and dns.

Thanks,

R.Seth

- In ASA: object network

pokemon284 — Tue, 13 Oct 2015 14:17:30 GMT

- In ASA:

object network PublicWWW

host 192.168.4.11
nat (dmz,outside) static 10.0.0.3 service tcp www www

object network PublicDNS

host 192.168.4.11
nat (dmz,outside) static 10.0.0.4 service udp domain domain

access-list WD extended permit tcp any object PublicWWW eq www
access-list WD extended permit udp any object PublicDNS eq domain

access-group WD in in out

- In Router:

ip nat inside source static tcp 10.0.0.3 80 192.168.0.100 80

ip nat inside source static udp 10.0.0.4 53 192.168.0.100 53

Then, I access website with IP => ok

and access website with domain => no => Why ???

Is your DNS resolving the

Rishabh Seth — Tue, 13 Oct 2015 14:22:55 GMT

Is your DNS resolving the domain to same IP?

Try nslookup for the domain from the PC and verify if its same.

Share your findings.

Thanks,

R.Seth

Request timed out??? Why???

pokemon284 — Tue, 13 Oct 2015 15:44:27 GMT

Request timed out??? Why???

This seems to a issue with

Rishabh Seth — Tue, 13 Oct 2015 15:50:42 GMT

This seems to a issue with your dns. Try checking your dons server. Looks like end client is not able to get name resolution for the domain you are trying to ping.

As long as website is accessible over IP, your ASA NAT config is correct.

Thanks,

R.Seth

Thank's for your help!!! :D

pokemon284 — Tue, 13 Oct 2015 16:08:07 GMT

Thank's for your help!!! 😄