cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2749
Views
8
Helpful
6
Replies

ASA - DNS & NAT problem

herve.leon
Level 1
Level 1

Hi,

I have an ASA5510  with 3 interfaces : inside, outside,dmz.

In the DMZ, a McAfee Web and Security Appliance acting as a proxy  (called srv-proxy, IP=192.168.127.52).

srv-proxy is natted to INTERNET (public IP address).

I'd like the srv-proxy to solve DNS requests on some extern DNS servers (srv-dns-oleane).

Here's the simple configuration to do this:

static (dmz,outside) INTERNET srv-proxy netmask 255.255.255.255

access-list acl-dmz_public extended permit udp dmz_public 255.255.255.0 object-group srv-dns-oleane eq domain log

By monitoring with ASDM, I can

opendns2     53     srv-proxy     5594     Built outbound connection 776 for outside:opendns(opendns2/53) to dmz:srv-proxy/5594(INTERNET/5594)

srv-proxy     5596     opendns2     53     access-list acl-dmz_public permitted udp dmz/srv-proxy(5594)->outside/opendns2(53) hit-cnt1 first hit

With "show nat" and "show xlate", I can see that the nat isworking.

However, on the "srv-proxy", "nslookup www.google.com" does't work.

I have an old PIX515E? with the same configuration, it works.

Do you have any idea ?

Thanks

Herve

1 Accepted Solution

Accepted Solutions

The packet captures just show the raw packet at the interface level. You should see the requests leaving the firewall. If you are using your ISP DNS server, could you use 4.2.2.2 as the DNS Server and see if the proxy server is resolving DNS names? Also, can the proxy server communicate with internet i.e. can you ping your default gateway from the proxy server? If not, it could be an issue with ISP not sending traffic belonging to INTERNET address back to your firewall. You need to check with the ISP and see if they have proper ARP entry (it should be firewalls MAC for INTERNET address too) in their router.

Hope this helps.

Regards,

NT

View solution in original post

6 Replies 6

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Herve,

I would check what's going on with a packet capture on DMZ and outside interfaces at the same time.

I also understand that the two interfaces have different security level?

Normally if logs on informational level do not show you any dropped packets the packet has traversed, unless dropped on ASP.


Marcin

Nagaraja Thanthry
Cisco Employee
Cisco Employee

To add to Marcin's response, I would also check the inspect rules. If you have turned on DNS inspection, that could be affecting the response. If the DNS inspection is turned on, try turning it off and see if that helps.

Regards,

NT

Thanks for your answers.

With Packet Capture on the outside interface, I can see the DNS request leaving with the translated IP towards the DNS servers.

However, I can't see any packets coming  from the DNS servers.

With ASA Monitoring, I have:

srv-proxy -> opendns1 (53)    access-list acl_dmz_public permitted udp dmz_public/srv-proxy(23452) -> outside/opendns(53) hit-cnt 1 first hit

opendns1 (53) -> srv-proxy (23452)  Built outbound UDP connection 10211 for outside:opendns1/53 to dmz_public:srv-proxy/23452 (INTERNET/23452)

Why I can't see the Built outbound connection on Packet Capture ??

I turned off DNS inspection but it failed too.

Herve

Herve,

If you see requests properly NATed going out but nothing coming back in that's not very likely to be the ASA side at fault.


You can check if the ASA is putting correct destination mac address on those packets but that's basically the extent we can do.

Marcin

The packet captures just show the raw packet at the interface level. You should see the requests leaving the firewall. If you are using your ISP DNS server, could you use 4.2.2.2 as the DNS Server and see if the proxy server is resolving DNS names? Also, can the proxy server communicate with internet i.e. can you ping your default gateway from the proxy server? If not, it could be an issue with ISP not sending traffic belonging to INTERNET address back to your firewall. You need to check with the ISP and see if they have proper ARP entry (it should be firewalls MAC for INTERNET address too) in their router.

Hope this helps.

Regards,

NT

Hi,

I'd like to thank all of you for your answers and particularly Nagaraja.

First, I configured my PC with the PIX IP address (INTERNET) and connected it directly to the router. The PC can receive DNS requests.

When I reconnected the PIX to the router. It failed to solve DNS names. I rebooted the router to solve this.

So, I just removed the PIX and put the new ASA in place, rebooted the router again and everything went right.

It took me a long time to solve this, thinking that it was a misconfiguration of the static NAT on the ASA or something else.

Thanks a lot for your help,

Herve

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: