Problem with inside NAT

IT Asitis · ‎03-11-2013

Today i've moved to a Cisco ASA 5510 and I'm having problems when accessing webservers from the inside.

When I try to access the webserver (helpdesk, webmail, etc) from computers outside my network, everything works just fine. When I try and access the same sites internally, I can't resolve the hostnames - but when I try to access via IP-address everything works.

I seem to have missed something in the access rules, but I can't think of anything..

Please advise.

Jouni Forss · ‎03-11-2013

Hi,

Would need a bit more background information what exactly you have done?

From what have you moved to ASA5510? Some other ASA model?
Have you changed from some old software level to new one?
Are the servers located behind the same interface as the users or some DMZ interface?

You say you cant resolve hostnames? Wouldnt this just simply mean a problem with DNS server connection or something else regarding the DNS?

One common DNS related problem is fact when you are using for example public DNS which replys to internal host with the public NAT IP address of your server but you cant connect to the server using the public IP address (Firewall limitation). In this cases you would use the "dns" parameter in the NAT configuration automatically rewrite DNS replies before them reaching the internal host and therefore the internal host would actually be connecting with the local IP address of the server.

But I dont really know if this is the case. We dont have much information to go with.

- Jouni

IT Asitis · ‎03-11-2013

Hi,

From what have you moved to ASA5510? Some other ASA model?
- Moved from an Fortigate 60A, and I've tried to move/replicate the rules.
Have you changed from some old software level to new one?
- No
Are the servers located behind the same interface as the users or some DMZ interface?
- We have server both behind a DMZ and on the same interface as the users - both segments are working externally but not internally. We're running two internal DNS-server aswell as a public primary DNS-server for our domain ourselves.

When I issue a nslookup command internally, I get DNS request timeout, so yea, it's most likely dns-related. Somehow.

Sorry about the lack of information, I've been working 14 hours straight so far today.

IT Asitis · ‎03-11-2013

We're running both two internal dns-servers aswell as an external primary DNS.

I can reach both my internal DNS-servers OK aswell as the primary DNS (which is located on our DMZ).

nslookup is giving me an "DNS request timed out"-error.

jocamare · ‎03-11-2013

'Nuff said.

You can reach both your servers but they are not replying with that the clients ask.

Try to use a different server [4.2.2.2] while you fix that.

jocamare · ‎03-11-2013

Is the DNS server configured in those units and internal or external server? It's probably external, i just want to confirm.

Can you reach your DNS server?

How about a "nslookup" on windows cmd for any of the sites?

stojanr · ‎03-11-2013

Where do your servers reside, on the inside network or in a separate , dmz segment? I'll assume you have a separate segment..

First of all, you need to fix the DNS on the clients - either by configuring an appropriate ACL or just specifying the correct DNS sever on the clients.

Then, you have two options: if your servers resolve to external IPs, then you can either create identical static translations from dmz to inside as you have from dmz to outside. The other option is using the dns keyword in your static translations, so ASA can provide DNS doctoring on your outside-bound DNS requests and return your actual DMZ addresses.

Sent from Cisco Technical Support iPad App