Solved: Thank's for your help!!! :D

pokemon284 · ‎10-11-2015

I got some issues with NAT configuration. I have a host server with 2 service: WWW and DNS. I want to access Server via IP address and domain from outside. How to configuration ASA and router???

Thank's!!!

P/s: my english is not good !!! :D

Rishabh Seth · ‎10-13-2015

This seems to a issue with your dns. Try checking your dons server. Looks like end client is not able to get name resolution for the domain you are trying to ping.

As long as website is accessible over IP, your ASA NAT config is correct.

Thanks,

R.Seth

View solution in original post

Rishabh Seth · ‎10-11-2015

Hi,

From diagram it looks like you are trying to access 192.168.4.11 from 192.168.0.100.

You need following :

Router:

1:Route for 192.168.4.11.

2: ACL to permit www and DNS traffic.

ASA:

1:Verify the security level or ingress and egress interface. Command: show nameif.

2: Check if traffic is initiated from higher security level or lower.

3: Traffic from higher security to lower will be allowed by default (if there is no explicit ACL applied on that interface.)

4:If traffic is initiated from lower security level then create an ACL to permit www and dos traffic for particular destination and source. In case the traffic is initiated from higher security level and you hav have an existing ACL then add an entry to permit www and DNS traffic.

5. Create route on ASA for 192.168.0.100 for return traffic.

Hope it helps!!!!

Thanks,

R.Seth

Mark answer as correct if it helps in resolving your query!!!

pokemon284 · ‎10-11-2015

I mean: configuration NAT for 2 services on the same host (192.168.4.11:80 and 192.168.4.11:53). I configed Nat for Web Server with port 80 but i can't config Nat for DNS Server. Can u show me command line???

pokemon284 · ‎10-13-2015

help me, please!!! :(

Rishabh Seth · ‎10-13-2015

What is the issue that you are facing?

Are you trying to configure object nat?

If yes then ensure you have one NAT rule per object.

Create two objects for www and dns nat rules.

eg:

Object network www

host 10.1.1.1

nat (inside,outside) static <ip/interface> service tcp 80 80

Object network DNS

host 10.1.1.1

nat (inside,outside) static <ip/interface> service udp 53 53

Also configure appropriate ACL to permit traffic for www and dns.

Thanks,

R.Seth

pokemon284 · ‎10-13-2015

- In ASA:

object network PublicWWW

host 192.168.4.11
nat (dmz,outside) static 10.0.0.3 service tcp www www

object network PublicDNS

host 192.168.4.11
nat (dmz,outside) static 10.0.0.4 service udp domain domain

access-list WD extended permit tcp any object PublicWWW eq www
access-list WD extended permit udp any object PublicDNS eq domain

access-group WD in in out

- In Router:

ip nat inside source static tcp 10.0.0.3 80 192.168.0.100 80

ip nat inside source static udp 10.0.0.4 53 192.168.0.100 53

Then, I access website with IP => ok

and access website with domain => no => Why ???

Rishabh Seth · ‎10-13-2015

Is your DNS resolving the domain to same IP?

Try nslookup for the domain from the PC and verify if its same.

Share your findings.

Thanks,

R.Seth

pokemon284 · ‎10-13-2015

Request timed out??? Why???

Rishabh Seth · ‎10-13-2015

This seems to a issue with your dns. Try checking your dons server. Looks like end client is not able to get name resolution for the domain you are trying to ping.

As long as website is accessible over IP, your ASA NAT config is correct.

Thanks,

R.Seth

pokemon284 · ‎10-13-2015

Thank's for your help!!! :D

How to NAT configuration on ASA 5520 8.4(2)