Cannot Access DNS Server

Answered Question
Jul 9th, 2010

Hello,

I am new to Cisco software and networking in general, so I appreciate any help that the community can provide.

Here's my setup:  I have a Cisco ASA firewall sitting behind a university firewall.  I am able to connect to my devices using the AnyConnect VPN software. I have set the DNS servers on the cisco device to use the university's DNS servers (ie. 140.5.6.2).  When I ping the ouside world (i.e. google.com) from the ASA CLI I get success.  But when I ping from a server behind the firewall on a local subnet (192.168.150.0/24), it fails.  The server has the DNS configured to the university IP (140.5.6.2).  Is there some rule that I need to add so the DNS queries get forwarded to the right servers (sinice it's on a different subnet)?

I have this problem too.
0 votes
Correct Answer by Nagaraja Thanthry about 6 years 4 months ago

Hello,

I think you are missing a no-nat statement that was allowing you access to your servers.

access-list nonat permit ip host

nat (inside) 0 access-list nonat

Please try the above and see if that helps.

Regards,

NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Nagaraja Thanthry Fri, 07/09/2010 - 12:50

Hello,

Have you configured NAT rules between the interfaces where server is connected and the interface where University network is connected? Also, what is the security level of those two interfaces? You can try packet tracer to see where exactly the communication is getting dropped.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788

Hope this helps.

Regards,

NT

thomas.r.mielke Wed, 07/14/2010 - 15:25

One of my colleagues was able to fix the issue, but it wasn't an issue of the DNS not resolving the hostname.  I couldn't ping IP addresses either.  With the addition of some NAT/PAT rules, the issue is fixed.  Unfortunately, a new bug has arisen in it's place that does not allow us to ssh/ping/access our servers from an AnyConnect VPN connection.

The error we get is:

"Asymmetric NAT rules matched for forward and reverse flows...denied due to NAT reverse path failure"

Nagaraja Thanthry Wed, 07/14/2010 - 15:28

Hello,

I guess your colleague added a nat statement that is in conflict with the

existing NAT statement. You need to make sure that there are no overlapping

NAT statements (both nat0 and static). If possible, please post the NAT

statements you have for the servers and the NAT statement your colleague has

added. We could try to figure out the overlapping statements.

Hope this helps.

Regards,

NT

thomas.r.mielke Wed, 07/14/2010 - 15:41

Thanks, our NATs are as follows:

global (outside) 1 78.23.45.67

global (outside) 1 interface

nat (inside) 1 192.168.128.0 255.255.255.0 dns

nat (management) 101 0.0.0.0 0.0.0.0

static (inside,outside) tcp  78.23.45.67 https 192.168.128.140 https netmask 255.255.255.255

static (inside,outside) tcp  78.23.45.67 www 192.168.128.140 www netmask 255.255.255.255

static (inside,outside) tcp  78.23.45.67 https 192.168.128.182 https netmask 255.255.255.255

static (inside,outside) tcp  78.23.45.67 5000 192.168.128.182 5000 netmask 255.255.255.255

static (inside,outside) tcp  78.23.45.67 ssh 192.168.128.140 ssh netmask 255.255.255.255

(I'm using semi-mock ip address but the configuration is the same)

Correct Answer
Nagaraja Thanthry Wed, 07/14/2010 - 15:50

Hello,

I think you are missing a no-nat statement that was allowing you access to your servers.

access-list nonat permit ip host

nat (inside) 0 access-list nonat

Please try the above and see if that helps.

Regards,

NT

catterad77 Wed, 07/14/2010 - 16:44

Hi Thomas,

Have you considered changing the way you are doing your NATing.  Do you really need so many static NATs ?

It seems you are wanting everything that leaves your internal 192.168.128.0 , to be shown as 78.23.45.67  , when you leave the outside interface.

I would remove the statics and have another look at your Global and NAT (inside) statements.

Should make your config much simpler.

David

thomas.r.mielke Wed, 07/14/2010 - 17:10

The static NATS are needed for port forwarding to different servers behind the firewall.  I'm not aware of an easier way to write these rules.

catterad77 Wed, 07/14/2010 - 17:30

Hi Thomas,

The static NATS are needed for port forwarding to different servers behind the firewall.

Are you wanting hosts on the outside of the network to be able to access your inside hosts via the Global address 78.23.45.67 ?

static (inside,outside) tcp  78.23.45.67 https 192.168.128.140 https netmask 255.255.255.255

...

static (inside,outside) tcp  78.23.45.67 https 192.168.128.182 https netmask 255.255.255.255

How will the firewall know which static above to send the https request to ?  Maybe you need a different IP address for the other server..

David

Nagaraja Thanthry Wed, 07/14/2010 - 17:54

Hello Thomas,

Except for one conflict in your statics (unless you did have a different IP in your real configuration and you forgot to change the IP's when you sent the configurations to us), other things look good. I am not sure if you have two web servers inside or you have a different service on the inside that needs https port. I would suggest you mapping one of those devices to a different port i.e. may be port 4443 instead of 443.

Regards,

NT

thomas.r.mielke Thu, 07/15/2010 - 09:44

As you suggested Nagaraja, the conflict in the static NAT statements is because I did not correctly change the IPs when I posted the message.  The real configuration looks more like this:

static (inside,outside) tcp  78.23.45.67 https 192.168.128.140 https netmask 255.255.255.255

static (inside,outside) tcp  78.23.45.67 www 192.168.128.140 www netmask 255.255.255.255

static (inside,outside) tcp  78.23.45.66 https 192.168.128.182 https netmask 255.255.255.255

static (inside,outside) tcp  78.23.45.66 5000 192.168.128.182 5000 netmask 255.255.255.255

static (inside,outside) tcp  78.23.45.67 ssh 192.168.128.140 ssh netmask 255.255.255.255

Additionally, the https traffic is split between two devices; (1) a web server and (2) a console monitor.  Since we have multiple IP addresses available to us, it made sense to use the same port both on different addresses.


Thanks for your help!

Actions

This Discussion