Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3153
Views
8
Helpful
6
Replies

ASA - DNS & NAT problem

Go to solution
herve.leon
Level 1
Level 1

‎07-06-2010 06:21 AM - edited ‎03-11-2019 11:08 AM

Hi,

I have an ASA5510  with 3 interfaces : inside, outside,dmz.

In the DMZ, a McAfee Web and Security Appliance acting as a proxy  (called srv-proxy, IP=192.168.127.52).

srv-proxy is natted to INTERNET (public IP address).

I'd like the srv-proxy to solve DNS requests on some extern DNS servers (srv-dns-oleane).

Here's the simple configuration to do this:

static (dmz,outside) INTERNET srv-proxy netmask 255.255.255.255

access-list acl-dmz_public extended permit udp dmz_public 255.255.255.0 object-group srv-dns-oleane eq domain log

By monitoring with ASDM, I can

opendns2     53     srv-proxy     5594     Built outbound connection 776 for outside:opendns(opendns2/53) to dmz:srv-proxy/5594(INTERNET/5594)

srv-proxy     5596     opendns2     53     access-list acl-dmz_public permitted udp dmz/srv-proxy(5594)->outside/opendns2(53) hit-cnt1 first hit

With "show nat" and "show xlate", I can see that the nat isworking.

However, on the "srv-proxy", "nslookup www.google.com" does't work.

I have an old PIX515E? with the same configuration, it works.

Do you have any idea ?

Thanks

Herve

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to herve.leon

‎07-07-2010 05:54 AM

The packet captures just show the raw packet at the interface level. You should see the requests leaving the firewall. If you are using your ISP DNS server, could you use 4.2.2.2 as the DNS Server and see if the proxy server is resolving DNS names? Also, can the proxy server communicate with internet i.e. can you ping your default gateway from the proxy server? If not, it could be an issue with ISP not sending traffic belonging to INTERNET address back to your firewall. You need to check with the ISP and see if they have proper ARP entry (it should be firewalls MAC for INTERNET address too) in their router.

Hope this helps.

Regards,

NT

View solution in original post

6 Replies 6

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎07-06-2010 06:40 AM

Herve,

I would check what's going on with a packet capture on DMZ and outside interfaces at the same time.

I also understand that the two interfaces have different security level?

Normally if logs on informational level do not show you any dropped packets the packet has traversed, unless dropped on ASP.


Marcin

0 Helpful

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎07-06-2010 10:38 AM

To add to Marcin's response, I would also check the inspect rules. If you have turned on DNS inspection, that could be affecting the response. If the DNS inspection is turned on, try turning it off and see if that helps.

Regards,

NT

0 Helpful

Go to solution
herve.leon
Level 1
Level 1
In response to Nagaraja Thanthry

‎07-07-2010 02:19 AM

Thanks for your answers.

With Packet Capture on the outside interface, I can see the DNS request leaving with the translated IP towards the DNS servers.

However, I can't see any packets coming  from the DNS servers.

With ASA Monitoring, I have:

srv-proxy -> opendns1 (53)    access-list acl_dmz_public permitted udp dmz_public/srv-proxy(23452) -> outside/opendns(53) hit-cnt 1 first hit

opendns1 (53) -> srv-proxy (23452)  Built outbound UDP connection 10211 for outside:opendns1/53 to dmz_public:srv-proxy/23452 (INTERNET/23452)

Why I can't see the Built outbound connection on Packet Capture ??

I turned off DNS inspection but it failed too.

Herve

0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to herve.leon

‎07-07-2010 03:21 AM

Herve,

If you see requests properly NATed going out but nothing coming back in that's not very likely to be the ASA side at fault.


You can check if the ASA is putting correct destination mac address on those packets but that's basically the extent we can do.

Marcin

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to herve.leon

‎07-07-2010 05:54 AM

The packet captures just show the raw packet at the interface level. You should see the requests leaving the firewall. If you are using your ISP DNS server, could you use 4.2.2.2 as the DNS Server and see if the proxy server is resolving DNS names? Also, can the proxy server communicate with internet i.e. can you ping your default gateway from the proxy server? If not, it could be an issue with ISP not sending traffic belonging to INTERNET address back to your firewall. You need to check with the ISP and see if they have proper ARP entry (it should be firewalls MAC for INTERNET address too) in their router.

Hope this helps.

Regards,

NT

Go to solution
herve.leon
Level 1
Level 1
In response to Nagaraja Thanthry

‎07-09-2010 03:01 AM

Hi,

I'd like to thank all of you for your answers and particularly Nagaraja.

First, I configured my PC with the PIX IP address (INTERNET) and connected it directly to the router. The PC can receive DNS requests.

When I reconnected the PIX to the router. It failed to solve DNS names. I rebooted the router to solve this.

So, I just removed the PIX and put the new ASA in place, rebooted the router again and everything went right.

It took me a long time to solve this, thinking that it was a misconfiguration of the static NAT on the ASA or something else.

Thanks a lot for your help,

Herve

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card