ASA - DNS & NAT problem

Answered Question
Jul 6th, 2010

Hi,

I have an ASA5510  with 3 interfaces : inside, outside,dmz.

In the DMZ, a McAfee Web and Security Appliance acting as a proxy  (called srv-proxy, IP=192.168.127.52).

srv-proxy is natted to INTERNET (public IP address).

I'd like the srv-proxy to solve DNS requests on some extern DNS servers (srv-dns-oleane).

Here's the simple configuration to do this:

static (dmz,outside) INTERNET srv-proxy netmask 255.255.255.255

access-list acl-dmz_public extended permit udp dmz_public 255.255.255.0 object-group srv-dns-oleane eq domain log

By monitoring with ASDM, I can

opendns2     53     srv-proxy     5594     Built outbound connection 776 for outside:opendns(opendns2/53) to dmz:srv-proxy/5594(INTERNET/5594)

srv-proxy     5596     opendns2     53     access-list acl-dmz_public permitted udp dmz/srv-proxy(5594)->outside/opendns2(53) hit-cnt1 first hit

With "show nat" and "show xlate", I can see that the nat isworking.

However, on the "srv-proxy", "nslookup www.google.com" does't work.

I have an old PIX515E? with the same configuration, it works.

Do you have any idea ?

Thanks

Herve

I have this problem too.
0 votes
Correct Answer by Nagaraja Thanthry about 6 years 4 months ago

The packet captures just show the raw packet at the interface level. You should see the requests leaving the firewall. If you are using your ISP DNS server, could you use 4.2.2.2 as the DNS Server and see if the proxy server is resolving DNS names? Also, can the proxy server communicate with internet i.e. can you ping your default gateway from the proxy server? If not, it could be an issue with ISP not sending traffic belonging to INTERNET address back to your firewall. You need to check with the ISP and see if they have proper ARP entry (it should be firewalls MAC for INTERNET address too) in their router.

Hope this helps.

Regards,

NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
Marcin Latosiewicz Tue, 07/06/2010 - 06:40

Herve,

I would check what's going on with a packet capture on DMZ and outside interfaces at the same time.

I also understand that the two interfaces have different security level?

Normally if logs on informational level do not show you any dropped packets the packet has traversed, unless dropped on ASP.


Marcin

Nagaraja Thanthry Tue, 07/06/2010 - 10:38

To add to Marcin's response, I would also check the inspect rules. If you have turned on DNS inspection, that could be affecting the response. If the DNS inspection is turned on, try turning it off and see if that helps.

Regards,

NT

herve.leon Wed, 07/07/2010 - 02:19

Thanks for your answers.

With Packet Capture on the outside interface, I can see the DNS request leaving with the translated IP towards the DNS servers.

However, I can't see any packets coming  from the DNS servers.

With ASA Monitoring, I have:

srv-proxy -> opendns1 (53)    access-list acl_dmz_public permitted udp dmz_public/srv-proxy(23452) -> outside/opendns(53) hit-cnt 1 first hit

opendns1 (53) -> srv-proxy (23452)  Built outbound UDP connection 10211 for outside:opendns1/53 to dmz_public:srv-proxy/23452 (INTERNET/23452)

Why I can't see the Built outbound connection on Packet Capture ??

I turned off DNS inspection but it failed too.

Herve

Marcin Latosiewicz Wed, 07/07/2010 - 03:21

Herve,

If you see requests properly NATed going out but nothing coming back in that's not very likely to be the ASA side at fault.


You can check if the ASA is putting correct destination mac address on those packets but that's basically the extent we can do.

Marcin

Correct Answer
Nagaraja Thanthry Wed, 07/07/2010 - 05:54

The packet captures just show the raw packet at the interface level. You should see the requests leaving the firewall. If you are using your ISP DNS server, could you use 4.2.2.2 as the DNS Server and see if the proxy server is resolving DNS names? Also, can the proxy server communicate with internet i.e. can you ping your default gateway from the proxy server? If not, it could be an issue with ISP not sending traffic belonging to INTERNET address back to your firewall. You need to check with the ISP and see if they have proper ARP entry (it should be firewalls MAC for INTERNET address too) in their router.

Hope this helps.

Regards,

NT

herve.leon Fri, 07/09/2010 - 03:01

Hi,

I'd like to thank all of you for your answers and particularly Nagaraja.

First, I configured my PC with the PIX IP address (INTERNET) and connected it directly to the router. The PC can receive DNS requests.

When I reconnected the PIX to the router. It failed to solve DNS names. I rebooted the router to solve this.

So, I just removed the PIX and put the new ASA in place, rebooted the router again and everything went right.

It took me a long time to solve this, thinking that it was a misconfiguration of the static NAT on the ASA or something else.

Thanks a lot for your help,

Herve

Actions

This Discussion