Complex NAT and ACL issue with multiple VLANS

cpgsystems · ‎02-26-2015

Hello Forum.

We have about 12 different VLANS behind an ASA 5515-x. One of those vlans contains a webserver and a DNS server (different machines, different IP addresses). ASDM 7.1.3

From outside the firewall, people need to be able to get to the webserver via http, https and a custom port (3390). From outside the firewall, no one needs DNS access.

From INSIDE the firewall, things are much more complicated. They need access to the DNS server from all VLANS and they need access to Webserver from all VLANS

The VLANS themselves are defined on the core switches, not the ASA The Vlan labels and network subnets increment by 5 (except in the first 5 numbers) and the VLAN subnets are equal to the vlan name. So for example VLAN 10 is on the 10.10.10.x subnet, vlan 20 is on the 10.10.20.x subnet, and so on. Each subnet is 24 bits

WHAT WORKS:

Outside_in: http, RDP work fine. Pretty sure I will be able to get https myself, so not looking for help there

Inside_in: traffic from vlan 10 to vlan 5 works fine, but I think that is in part to the any any allow rule on the vlan 10 interface. Apart from that, all vlans can get out to the web, but they cannot get proper DNS resoliution or access the webserver across vlans

I have looked at the access lists, I have looked at NATting the DNS, but it is not working, and I am not sure why. Any assistance would be appreciated

petenixon · ‎02-26-2015

If you run the packet-tracer on the ASA (either via cli or asdm), it will tell you where the traffic is being dropped.

cpgsystems · ‎02-27-2015

Tried that, no joy. It said that the problem was a NAT issue, but I cannot figure it out. The NAT rule looks right, but is not because it doesn't work

petenixon · ‎02-27-2015

Can you post the output of the packet trace?