Re: Routing Question

agent2007 · ‎04-18-2011

hi All,

I have a cisco asa cluster.

INSIDE - 10.10.10.0/24

DMZ - 172.16.0.0/24

OUTSIDE - 192.168.100.0/24

I have a static nat which nats a server in the dmz address to a public facing IP address.

My inside users have a requirement to be able to connect to the external address of the DMZ server (as its hard coded in a website)

I can not get this working. What do I need to do to get this working please?

Many thanks

samavedula_rama · ‎04-18-2011

Are you using your own name server for address resolution or does your provider provide that service?

If yes for your own DNS server, in which zone is it located?

Did you try not to use the DNS and instead use the IP address itself ?

Regards,

manish arora · ‎04-18-2011

They are unable to access the external ip address because it's being denied by the ASA for ip spoofing, you will be seeing a lot of packet dropped because of ip spoof from inside messages in the ASA logs.

Please post the nat configuration for server ( X.X the last two octet of the public ip's ) and post the output of :-

1> sh run global

2> sh run nat

I am assuming that you are using asa code 8.2 or lower, since it changes completely with 8.3 and higher.

Manish

agent2007 · ‎04-19-2011

Thanks for the replies. I can not use DNS to get around this as its using IP only.

Here is the output you requested

fw-cluster/act# sh run global

global (OUTSIDE) 1 interface

fw-cluster/act#

fw-cluster/act# sh run nat

nat (DMZ1) 0 access-list DMZ1_nat0_outbound

nat (TRANSIT) 0 access-list nonat_acl

nat (TRANSIT) 1 192.168.204.51 255.255.255.255

nat (TRANSIT) 1 192.168.0.0 255.255.255.0

nat (TRANSIT) 1 192.168.194.0 255.255.255.0

nat (TRANSIT) 1 192.168.201.0 255.255.255.0

nat (TRANSIT) 1 192.168.204.0 255.255.255.0

nat (Wireless_HSP) 1 192.168.254.0 255.255.255.0

I have a static nat for this host

static (DMZ1,HEANET) x.x.x.x 172.16.0.51 netmask 255.255.255.255

I have also added a nat (dmz1) 1 172.16.0.0 255.255.255.0 but it did not make any difference.

the asdm logs are allowing the connection - I am not seeing any drops.

thanks

manish arora · ‎04-19-2011

Do you have interface named HEANET as well ? is your static nat work from the outside world ?

Manish

agent2007 · ‎04-20-2011

sorry the heanet should be "outside" also

manish arora · ‎04-20-2011

K, you have two options :-

option 1 :-

remove :-

asa(config)# no static (DMZ1,OUTSIDE) x.x.x.x 172.16.0.51 netmask 255.255.255.255

add :-

asa(config)#static (DMZ1,OUTSIDE) x.x.x.x 172.16.0.51 netmask 255.255.255.255 dns

also know as dns doctoring.

Option 2 :-

Dnat :-

add another statement :-

asa(config)#static (dmz1,inside) x.x.x.x 172.16.0.51 netmask 255.255.255.255

Please check this link out for further info :-

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

Manish