cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4464
Views
0
Helpful
11
Replies

Cannot Access DNS Server

thomas.r.mielke
Level 1
Level 1

Hello,

I am new to Cisco software and networking in general, so I appreciate any help that the community can provide.

Here's my setup:  I have a Cisco ASA firewall sitting behind a university firewall.  I am able to connect to my devices using the AnyConnect VPN software. I have set the DNS servers on the cisco device to use the university's DNS servers (ie. 140.5.6.2).  When I ping the ouside world (i.e. google.com) from the ASA CLI I get success.  But when I ping from a server behind the firewall on a local subnet (192.168.150.0/24), it fails.  The server has the DNS configured to the university IP (140.5.6.2).  Is there some rule that I need to add so the DNS queries get forwarded to the right servers (sinice it's on a different subnet)?

1 Accepted Solution

Accepted Solutions

Hello,

I think you are missing a no-nat statement that was allowing you access to your servers.

access-list nonat permit ip host

nat (inside) 0 access-list nonat

Please try the above and see if that helps.

Regards,

NT

View solution in original post

11 Replies 11

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

Have you configured NAT rules between the interfaces where server is connected and the interface where University network is connected? Also, what is the security level of those two interfaces? You can try packet tracer to see where exactly the communication is getting dropped.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788

Hope this helps.

Regards,

NT

One of my colleagues was able to fix the issue, but it wasn't an issue of the DNS not resolving the hostname.  I couldn't ping IP addresses either.  With the addition of some NAT/PAT rules, the issue is fixed.  Unfortunately, a new bug has arisen in it's place that does not allow us to ssh/ping/access our servers from an AnyConnect VPN connection.

The error we get is:

"Asymmetric NAT rules matched for forward and reverse flows...denied due to NAT reverse path failure"

Hello,

I guess your colleague added a nat statement that is in conflict with the

existing NAT statement. You need to make sure that there are no overlapping

NAT statements (both nat0 and static). If possible, please post the NAT

statements you have for the servers and the NAT statement your colleague has

added. We could try to figure out the overlapping statements.

Hope this helps.

Regards,

NT

Thanks, our NATs are as follows:

global (outside) 1 78.23.45.67

global (outside) 1 interface

nat (inside) 1 192.168.128.0 255.255.255.0 dns

nat (management) 101 0.0.0.0 0.0.0.0

static (inside,outside) tcp  78.23.45.67 https 192.168.128.140 https netmask 255.255.255.255

static (inside,outside) tcp  78.23.45.67 www 192.168.128.140 www netmask 255.255.255.255

static (inside,outside) tcp  78.23.45.67 https 192.168.128.182 https netmask 255.255.255.255

static (inside,outside) tcp  78.23.45.67 5000 192.168.128.182 5000 netmask 255.255.255.255

static (inside,outside) tcp  78.23.45.67 ssh 192.168.128.140 ssh netmask 255.255.255.255

(I'm using semi-mock ip address but the configuration is the same)

Hello,

I think you are missing a no-nat statement that was allowing you access to your servers.

access-list nonat permit ip host

nat (inside) 0 access-list nonat

Please try the above and see if that helps.

Regards,

NT

That did the trick!  Thanks a lot!

Hi Thomas,

Have you considered changing the way you are doing your NATing.  Do you really need so many static NATs ?

It seems you are wanting everything that leaves your internal 192.168.128.0 , to be shown as 78.23.45.67  , when you leave the outside interface.

I would remove the statics and have another look at your Global and NAT (inside) statements.

Should make your config much simpler.

David

The static NATS are needed for port forwarding to different servers behind the firewall.  I'm not aware of an easier way to write these rules.

Hi Thomas,

The static NATS are needed for port forwarding to different servers behind the firewall.

Are you wanting hosts on the outside of the network to be able to access your inside hosts via the Global address 78.23.45.67 ?

static (inside,outside) tcp  78.23.45.67 https 192.168.128.140 https netmask 255.255.255.255

...

static (inside,outside) tcp  78.23.45.67 https 192.168.128.182 https netmask 255.255.255.255

How will the firewall know which static above to send the https request to ?  Maybe you need a different IP address for the other server..

David

Hello Thomas,

Except for one conflict in your statics (unless you did have a different IP in your real configuration and you forgot to change the IP's when you sent the configurations to us), other things look good. I am not sure if you have two web servers inside or you have a different service on the inside that needs https port. I would suggest you mapping one of those devices to a different port i.e. may be port 4443 instead of 443.

Regards,

NT

As you suggested Nagaraja, the conflict in the static NAT statements is because I did not correctly change the IPs when I posted the message.  The real configuration looks more like this:

static (inside,outside) tcp  78.23.45.67 https 192.168.128.140 https netmask 255.255.255.255

static (inside,outside) tcp  78.23.45.67 www 192.168.128.140 www netmask 255.255.255.255

static (inside,outside) tcp  78.23.45.66 https 192.168.128.182 https netmask 255.255.255.255

static (inside,outside) tcp  78.23.45.66 5000 192.168.128.182 5000 netmask 255.255.255.255

static (inside,outside) tcp  78.23.45.67 ssh 192.168.128.140 ssh netmask 255.255.255.255

Additionally, the https traffic is split between two devices; (1) a web server and (2) a console monitor.  Since we have multiple IP addresses available to us, it made sense to use the same port both on different addresses.


Thanks for your help!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking products for a $25 gift card