cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1474
Views
0
Helpful
15
Replies

Nat on Router

clark white
Level 2
Level 2

Dears,

Please find the attached topology.

  1. I have a strange problem for my isolated LAN PC which is connected on Internet Router which are source Nat by the internet router ( nat overload) when they browse internet.
  2. I have a ASA behind internet router and on ASA I have a static Natted  mail server.
  3. when a user from isolate LAN 172.24.1.1 (PC) access the https://mail.server the page doesn't opens.
  4. I can see the static translation on the Internet router as well on the asa.
  5. I can see the my private lan ip address changes to my own internet router interface address (public) and in asdm I can the see logs "connection build inbound " but the login page on user pc doesn't appear in the browser it keeps on moving.

there is something I m missing in the internet router that I don't know becz I can the asa packet capture the packets are coming back from ASA.

15 Replies 15

clark white
Level 2
Level 2

Dear Experts,

Please help

thanks

Hi,

I couldn't see any rule which is allowing "172.24.1.x" network to nat it to public ip of the interface. May i know how it is natting to public ip?

Dear ahmed

sorry for the typo mistake,

the mail server is in DMZ and all the policies are allowed for the mail server becz the mail server is accessible from the internet ,, only the router LAN users from subnet  (172.17.1.X)  are not able to access. 

Dears sarathpa

It's my typo mistake in the topology diagram, the network is 172.17.1.X  and not the 172.24.1.X

I can see traffic hit on the firewall and  the nat translation on the router for the user traffic but the mail server webpage doesn't opens on user desk,

Can anybody guide me to narrow down the problem by proper troubleshooting steps.

thanks

Hi;

Please run the packet tracer on Cisco ASA firewall and verify the traffic flow on ASA firewall:

packet-tracer input outside tcp 172.17.1.X 1234 X.X.X.X 443 (where x.x.x.x is your mail server).

Thanks & Best regards;

Dears,

Attached is the packet capture from the ASA firewall for the user traffic which is initiating from the internet router

Steps how the user traffic flows:

  1. user has configured ISP DNS in his PC
  2. User type in the browser https:xyz.mail.com
  3. DNS request goes to the ISP and ISP resolves to the public IP address and send it back to the same router, becz the mail server in sitting in the DMZ sone of the ASA.
  4. router send the packet to the ASA and ASA replies back.
  5. after that what router does ??? becz on user desktop webpage cannot be displayed

 

Thanks

Dears,

Nobody can explain me the packet capture attached ???

thanks

Hi;

Just want to re-phrase your issue for understanding:

1. Your mail server ( https://mail.server) is on DMZ Zone of firewall with actual IP Address (10.20.20.20) and public IP (200.200.200.200). 

2. User have global DNS server.

3. Whenever users try to access  https://mail.server, DNS server will resolve the mail server IP as Public IP address (200.200.200.200).

User request for mail server request going outside (Router) instead of sending Firewall DMZ interface. The Mail server request is stuck between Router & firewall. The solution of this is by apply DNS doctoring on firewall:

Please modify the firewall policy on Cisco ASA firewall (DNS Doctoring):

static (inside,outside) 10.20.20.20 200.200.200.200 netmask 255.255.255.255 dns

For detail information with reference to DNS doctoring find below link: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html

Thanks & Best regards;

Dear Shoaib

User request for mail server request going outside (Router) instead of sending Firewall DMZ interface. i think the flow of router will be as below

the public ip address of the mail server is in the subnet range of outside ip address and router internal interface. so when a router receives a reply from ISP for the public ip address of 200.200.200.200 he see's 200.200.200.200 as an ip from connected interface( Internal ) then he does the arp request for ip 200.200.200.200.

please correct me if m wrong.

thanks

Hi Clark,

Basically accessing internal network with NAT IP (Public IP address) is not standard Practice this often create asymmetric NAT issue. 

Dear Shoaib & Pawan

i would thank you both for answering my thread,

i want to clarify one thing related to thread that these are isolate temporary users who are sitting outside of the firewall on the internet router one of the interface using a mail server in internal network only.

i will try the DNS keyword in the NAT and update the case.

thanks

Hi Clark;

Sorry was going on miss-track, for your case DNS doctoring is not applicable, because the traffic is coming from Firewall Outside interface.

Can you run the packet-tracer on ASA firewall (either CLI or ASDM) and verify where the traffic is blocking:

packet-tracer input outside tcp 172.17.1.10 1234 200.200.200.200 443.

Thanks & Best regards;

Hi Clark;

Pawan is 100% right due to current configuration it's creating asymmetric NAT issue & it will be solved via 2 option:

1 - Local user access the email server via local address instead of public IP.

2 - Apply DNS doctoring on Cisco ASA firewall.

Thanks & Best regards;

ahmedshoaib
Level 4
Level 4

Hi;

Can you share the configuration of your Firewall & Internet Router?

If not then please share the nat and Routing configuration from Firewall & Router.

Thanks & Best regards; 

Dears,

Nat on router

ip nat inside source list ADSL interface Dialer0 overload

ip access-list extended ADSL
 deny   ip 172.17.1.0 0.0.0.255 198.108.24.0 0.0.0.255
 deny   ip 172.17.1.0 0.0.0.255 host 9.63.136.166
 deny   ip 172.17.1.0 0.0.0.255 host 6.203.139.148
 deny   ip 172.17.1.0 0.0.0.255 host 18.87.16.45
 deny   ip 172.17.1.0 0.0.0.255 host 18.41.203.157
 deny   ip 172.17.1.0 0.0.0.255 host 18.41.202.157
 deny   ip 172.17.1.0 0.0.0.255 host 25.216.112.23
 deny   ip 172.17.1.0 0.0.0.255 host 28.22.57.176
 deny   ip 172.17.1.0 0.0.0.255 host 66.80.82.69
 permit ip 172.17.1.0 0.0.0.255 any
 permit ip 172.18.1.0 0.0.0.255 any

Firewall:

static (inside,outside) 10.20.20.20 200.200.200.200 netmask 255.255.255.255

thanks

Review Cisco Networking for a $25 gift card