Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
974
Views
0
Helpful
1
Replies

ASA 5520 and Static NAT

kathy-kat
Level 1
Level 1

ā€Ž03-14-2011 12:11 PM - edited ā€Ž03-11-2019 01:06 PM

I just configure an ASA 5520, here is the config (the ip address of outside network if going to change from private direccion by reason security).

The problem that I have is the users can access to the web site through the publicĀ“s ip address but they do not can access through by name. We review all the config on the server DNS and with the command NSLOOKUP we can see that work fine. The client think that the asa is blocked the connnection.

That configuratiuon work and suddenly does not work anymore.

The version on the appliance is Cisco Adaptive Security Appliance Software Version 8.2(3)

Do you know if the version have some bugs?

interface GigabitEthernet0/0
duplex full
nameif outside
security-level 0
ip address 192.168.18.114 255.255.255.248

interface GigabitEthernet0/1
duplex full
nameif inside
security-level 100
ip address 172.17.0.3 255.255.255.0

interface GigabitEthernet0/2
duplex full
nameif DMZ
security-level 50
ip address 192.168.0.5 255.255.0.0

interface GigabitEthernet1/0
description Conexion Segmento Portales y Aplicativos
duplex full
nameif Outside-2
security-level 0
ip address 192.168.1.1 255.255.255.248

access-list DMZ_access_in remark +++++++++++++ Persmisologia Servidor WEB ++++++++++++++
access-list DMZ_access_in extended permit udp host Servidor-Web any eq 53

access-list DMZ_access_in extended permit udp host Servidor-Web any eq 80

access-list DMZ_access_in extended permit tcp host Servidor-Web any eq 53

access-list DMZ_access_in extended permit tcp host Servidor-Web any eq 80

access-list DMZ_access_in extended permit object-group TCPUDP host Servidor-DNS-Externo any eq domain

access-list Outside-2_access_in remark +++++++++++++++ Permisologia Externos hacia Servidor DNS Externo  ++++++++++++++++
access-list Outside-2_access_in extended permit udp any host 192.168.1.6 object-group Pagina-WEB-UDP

access-list outside_access_in remark +++++++++++++++ Permisologia Externos hacia Servidor WEB  ++++++++++++++++

access-list outside_access_in extended permit udp any host 192.168.18.118 eq domain

access-list outside_access_in extended permit udp any host 192.168.18.118 eq www

access-list outside_access_in extended permit tcp any host 192.168.18.118 eq domain

access-list outside_access_in extended permit tcp any host 192.168.18.118 eq wwww

static (DMZ,outside) 192.168.18.118 Servidor-Web netmask 255.255.255.255

static (DMZ,Outside-2) udp 192.168.1.6 domain Servidor-DNS-Externo domain netmask 255.255.255.255

static (DMZ,Outside-2) tcp 192.168.1.6 domain Servidor-DNS-Externo domain netmask 255.255.255.255

The web site is in the OutsideĀ“s Network.

Public Address= 192.168.18.118/29

Private Address= 192.168.0.4/16

The External DNS is in the Outside-2Ā“s Network.

Public Address= 192.168.1.6/29

Private Address= 192.168.0.3/16

Any idea???

Labels:
0 Helpful
1 Reply 1

mirober2
Cisco Employee
Cisco Employee

ā€Ž03-15-2011 05:39 AM

Hi Katherine,

If I understand correctly, you have clients on the outside interface who can't access the web server in the DMZ when using its domain name (but it works when using IP address), is that correct?

You mentioned you tested DNS resolution from the client with 'nslookup'. Did that return the correct IP (192.168.18.118)?

Could you post the output of 'packet-tracer in outside tcp 4.2.2.2 12345 192.168.18.118 80' for us? This will help show if there are any configuration issues. Please also post any syslogs that the ASA generates when the connection is not working.

-Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card