Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1472
Views
0
Helpful
15
Replies

Nat on Router

clark white
Level 2
Level 2

ā€Ž08-22-2016 03:02 PM - edited ā€Ž03-08-2019 07:06 AM

Dears,

Please find the attached topology.

  1. I have a strange problem for my isolated LAN PC which is connected on Internet Router which are source Nat by the internet router ( nat overload) when they browse internet.
  2. I have a ASA behind internet router and on ASA I have a static Natted  mail server.
  3. when a user from isolate LAN 172.24.1.1 (PC) access the https://mail.server the page doesn't opens.
  4. I can see the static translation on the Internet router as well on the asa.
  5. I can see the my private lan ip address changes to my own internet router interface address (public) and in asdm I can the see logs "connection build inbound " but the login page on user pc doesn't appear in the browser it keeps on moving.

there is something I m missing in the internet router that I don't know becz I can the asa packet capture the packets are coming back from ASA.

Labels:
Preview file
25 KB
0 Helpful
15 Replies 15

clark white
Level 2
Level 2

ā€Ž08-24-2016 04:35 AM

Dear Experts,

Please help

thanks

0 Helpful

sarathpa
Level 1
Level 1
In response to clark white

ā€Ž08-31-2016 06:45 PM

Hi,

I couldn't see any rule which is allowing "172.24.1.x" network to nat it to public ip of the interface. May i know how it is natting to public ip?

0 Helpful

clark white
Level 2
Level 2
In response to sarathpa

ā€Ž09-02-2016 12:17 AM

Dear ahmed

sorry for the typo mistake,

the mail server is in DMZ and all the policies are allowed for the mail server becz the mail server is accessible from the internet ,, only the router LAN users from subnet  (172.17.1.X)  are not able to access. 

Dears sarathpa

It's my typo mistake in the topology diagram, the network is 172.17.1.X  and not the 172.24.1.X

I can see traffic hit on the firewall and  the nat translation on the router for the user traffic but the mail server webpage doesn't opens on user desk,

Can anybody guide me to narrow down the problem by proper troubleshooting steps.

thanks

0 Helpful

ahmedshoaib
Level 4
Level 4
In response to clark white

ā€Ž09-02-2016 05:19 AM

Hi;

Please run the packet tracer on Cisco ASA firewall and verify the traffic flow on ASA firewall:

packet-tracer input outside tcp 172.17.1.X 1234 X.X.X.X 443 (where x.x.x.x is your mail server).

Thanks & Best regards;

0 Helpful

clark white
Level 2
Level 2
In response to ahmedshoaib

ā€Ž09-03-2016 01:15 PM

Dears,

Attached is the packet capture from the ASA firewall for the user traffic which is initiating from the internet router

Steps how the user traffic flows:

  1. user has configured ISP DNS in his PC
  2. User type in the browser https:xyz.mail.com
  3. DNS request goes to the ISP and ISP resolves to the public IP address and send it back to the same router, becz the mail server in sitting in the DMZ sone of the ASA.
  4. router send the packet to the ASA and ASA replies back.
  5. after that what router does ??? becz on user desktop webpage cannot be displayed

 

Thanks

Preview file
11 KB
0 Helpful

clark white
Level 2
Level 2
In response to clark white

ā€Ž09-05-2016 12:02 PM

Dears,

Nobody can explain me the packet capture attached ???

thanks

0 Helpful

ahmedshoaib
Level 4
Level 4
In response to clark white

ā€Ž09-06-2016 10:50 AM

Hi;

Just want to re-phrase your issue for understanding:

1. Your mail server ( https://mail.server) is on DMZ Zone of firewall with actual IP Address (10.20.20.20) and public IP (200.200.200.200). 

2. User have global DNS server.

3. Whenever users try to access  https://mail.server, DNS server will resolve the mail server IP as Public IP address (200.200.200.200).

User request for mail server request going outside (Router) instead of sending Firewall DMZ interface. The Mail server request is stuck between Router & firewall. The solution of this is by apply DNS doctoring on firewall:

Please modify the firewall policy on Cisco ASA firewall (DNS Doctoring):

static (inside,outside) 10.20.20.20 200.200.200.200 netmask 255.255.255.255 dns

For detail information with reference to DNS doctoring find below link: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html

Thanks & Best regards;

0 Helpful

clark white
Level 2
Level 2
In response to ahmedshoaib

ā€Ž09-07-2016 09:13 PM

Dear Shoaib

User request for mail server request going outside (Router) instead of sending Firewall DMZ interface. i think the flow of router will be as below

the public ip address of the mail server is in the subnet range of outside ip address and router internal interface. so when a router receives a reply from ISP for the public ip address of 200.200.200.200 he see's 200.200.200.200 as an ip from connected interface( Internal ) then he does the arp request for ip 200.200.200.200.

please correct me if m wrong.

thanks

0 Helpful

Pawan Raut
Level 4
Level 4
In response to clark white

ā€Ž09-07-2016 10:24 PM

Hi Clark,

Basically accessing internal network with NAT IP (Public IP address) is not standard Practice this often create asymmetric NAT issue. 

0 Helpful

clark white
Level 2
Level 2
In response to Pawan Raut

ā€Ž09-09-2016 11:42 PM

Dear Shoaib & Pawan

i would thank you both for answering my thread,

i want to clarify one thing related to thread that these are isolate temporary users who are sitting outside of the firewall on the internet router one of the interface using a mail server in internal network only.

i will try the DNS keyword in the NAT and update the case.

thanks

0 Helpful

ahmedshoaib
Level 4
Level 4
In response to clark white

ā€Ž09-10-2016 03:31 PM

Hi Clark;

Sorry was going on miss-track, for your case DNS doctoring is not applicable, because the traffic is coming from Firewall Outside interface.

Can you run the packet-tracer on ASA firewall (either CLI or ASDM) and verify where the traffic is blocking:

packet-tracer input outside tcp 172.17.1.10 1234 200.200.200.200 443.

Thanks & Best regards;

0 Helpful

ahmedshoaib
Level 4
Level 4
In response to clark white

ā€Ž09-08-2016 01:09 AM

Hi Clark;

Pawan is 100% right due to current configuration it's creating asymmetric NAT issue & it will be solved via 2 option:

1 - Local user access the email server via local address instead of public IP.

2 - Apply DNS doctoring on Cisco ASA firewall.

Thanks & Best regards;

0 Helpful

ahmedshoaib
Level 4
Level 4

ā€Ž08-24-2016 02:07 PM

Hi;

Can you share the configuration of your Firewall & Internet Router?

If not then please share the nat and Routing configuration from Firewall & Router.

Thanks & Best regards; 

0 Helpful

clark white
Level 2
Level 2
In response to ahmedshoaib

ā€Ž08-31-2016 12:27 PM

Dears,

Nat on router

ip nat inside source list ADSL interface Dialer0 overload

ip access-list extended ADSL
 deny   ip 172.17.1.0 0.0.0.255 198.108.24.0 0.0.0.255
 deny   ip 172.17.1.0 0.0.0.255 host 9.63.136.166
 deny   ip 172.17.1.0 0.0.0.255 host 6.203.139.148
 deny   ip 172.17.1.0 0.0.0.255 host 18.87.16.45
 deny   ip 172.17.1.0 0.0.0.255 host 18.41.203.157
 deny   ip 172.17.1.0 0.0.0.255 host 18.41.202.157
 deny   ip 172.17.1.0 0.0.0.255 host 25.216.112.23
 deny   ip 172.17.1.0 0.0.0.255 host 28.22.57.176
 deny   ip 172.17.1.0 0.0.0.255 host 66.80.82.69
 permit ip 172.17.1.0 0.0.0.255 any
 permit ip 172.18.1.0 0.0.0.255 any

Firewall:

static (inside,outside) 10.20.20.20 200.200.200.200 netmask 255.255.255.255

thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card