topic Re: ASA - DNS & NAT problem in Network Security

ASA - DNS & NAT problem

herve.leon — Mon, 11 Mar 2019 18:08:06 GMT

Hi,

I have an ASA5510 with 3 interfaces : inside, outside,dmz.

In the DMZ, a McAfee Web and Security Appliance acting as a proxy (called srv-proxy, IP=192.168.127.52).

srv-proxy is natted to INTERNET (public IP address).

I'd like the srv-proxy to solve DNS requests on some extern DNS servers (srv-dns-oleane).

Here's the simple configuration to do this:

static (dmz,outside) INTERNET srv-proxy netmask 255.255.255.255

access-list acl-dmz_public extended permit udp dmz_public 255.255.255.0 object-group srv-dns-oleane eq domain log

By monitoring with ASDM, I can

opendns2 53 srv-proxy 5594 Built outbound connection 776 for outside:opendns(opendns2/53) to dmz:srv-proxy/5594(INTERNET/5594)

srv-proxy 5596 opendns2 53 access-list acl-dmz_public permitted udp dmz/srv-proxy(5594)->outside/opendns2(53) hit-cnt1 first hit

With "show nat" and "show xlate", I can see that the nat isworking.

However, on the "srv-proxy", "nslookup www.google.com" does't work.

I have an old PIX515E? with the same configuration, it works.

Do you have any idea ?

Thanks

Herve

Re: ASA - DNS & NAT problem

Marcin Latosiewicz — Tue, 06 Jul 2010 13:40:27 GMT

Herve,

I would check what's going on with a packet capture on DMZ and outside interfaces at the same time.

I also understand that the two interfaces have different security level?

Normally if logs on informational level do not show you any dropped packets the packet has traversed, unless dropped on ASP.

Marcin

Re: ASA - DNS & NAT problem

Nagaraja Thanthry — Tue, 06 Jul 2010 17:38:28 GMT

To add to Marcin's response, I would also check the inspect rules. If you have turned on DNS inspection, that could be affecting the response. If the DNS inspection is turned on, try turning it off and see if that helps.

Regards,

Re: ASA - DNS & NAT problem

herve.leon — Wed, 07 Jul 2010 09:19:09 GMT

Thanks for your answers.

With Packet Capture on the outside interface, I can see the DNS request leaving with the translated IP towards the DNS servers.

However, I can't see any packets coming from the DNS servers.

With ASA Monitoring, I have:

srv-proxy -> opendns1 (53) access-list acl_dmz_public permitted udp dmz_public/srv-proxy(23452) -> outside/opendns(53) hit-cnt 1 first hit

opendns1 (53) -> srv-proxy (23452) Built outbound UDP connection 10211 for outside:opendns1/53 to dmz_public:srv-proxy/23452 (INTERNET/23452)

Why I can't see the Built outbound connection on Packet Capture ??

I turned off DNS inspection but it failed too.

Herve

Re: ASA - DNS & NAT problem

Marcin Latosiewicz — Wed, 07 Jul 2010 10:21:44 GMT

Herve,

If you see requests properly NATed going out but nothing coming back in that's not very likely to be the ASA side at fault.

You can check if the ASA is putting correct destination mac address on those packets but that's basically the extent we can do.

Marcin

Re: ASA - DNS & NAT problem

Nagaraja Thanthry — Wed, 07 Jul 2010 12:54:00 GMT

The packet captures just show the raw packet at the interface level. You should see the requests leaving the firewall. If you are using your ISP DNS server, could you use 4.2.2.2 as the DNS Server and see if the proxy server is resolving DNS names? Also, can the proxy server communicate with internet i.e. can you ping your default gateway from the proxy server? If not, it could be an issue with ISP not sending traffic belonging to INTERNET address back to your firewall. You need to check with the ISP and see if they have proper ARP entry (it should be firewalls MAC for INTERNET address too) in their router.

Hope this helps.

Regards,

Re: ASA - DNS & NAT problem

herve.leon — Fri, 09 Jul 2010 10:01:13 GMT

Hi,

I'd like to thank all of you for your answers and particularly Nagaraja.

First, I configured my PC with the PIX IP address (INTERNET) and connected it directly to the router. The PC can receive DNS requests.

When I reconnected the PIX to the router. It failed to solve DNS names. I rebooted the router to solve this.

So, I just removed the PIX and put the new ASA in place, rebooted the router again and everything went right.

It took me a long time to solve this, thinking that it was a misconfiguration of the static NAT on the ASA or something else.

Thanks a lot for your help,

Herve