07-09-2010 10:35 AM - edited 03-11-2019 11:09 AM
Hello,
I am new to Cisco software and networking in general, so I appreciate any help that the community can provide.
Here's my setup: I have a Cisco ASA firewall sitting behind a university firewall. I am able to connect to my devices using the AnyConnect VPN software. I have set the DNS servers on the cisco device to use the university's DNS servers (ie. 140.5.6.2). When I ping the ouside world (i.e. google.com) from the ASA CLI I get success. But when I ping from a server behind the firewall on a local subnet (192.168.150.0/24), it fails. The server has the DNS configured to the university IP (140.5.6.2). Is there some rule that I need to add so the DNS queries get forwarded to the right servers (sinice it's on a different subnet)?
Solved! Go to Solution.
07-14-2010 03:50 PM
Hello,
I think you are missing a no-nat statement that was allowing you access to your servers.
access-list nonat permit ip host
nat (inside) 0 access-list nonat
Please try the above and see if that helps.
Regards,
NT
07-09-2010 12:50 PM
Hello,
Have you configured NAT rules between the interfaces where server is connected and the interface where University network is connected? Also, what is the security level of those two interfaces? You can try packet tracer to see where exactly the communication is getting dropped.
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788
Hope this helps.
Regards,
NT
07-14-2010 03:25 PM
One of my colleagues was able to fix the issue, but it wasn't an issue of the DNS not resolving the hostname. I couldn't ping IP addresses either. With the addition of some NAT/PAT rules, the issue is fixed. Unfortunately, a new bug has arisen in it's place that does not allow us to ssh/ping/access our servers from an AnyConnect VPN connection.
The error we get is:
"Asymmetric NAT rules matched for forward and reverse flows...denied due to NAT reverse path failure"
07-14-2010 03:28 PM
Hello,
I guess your colleague added a nat statement that is in conflict with the
existing NAT statement. You need to make sure that there are no overlapping
NAT statements (both nat0 and static). If possible, please post the NAT
statements you have for the servers and the NAT statement your colleague has
added. We could try to figure out the overlapping statements.
Hope this helps.
Regards,
NT
07-14-2010 03:41 PM
Thanks, our NATs are as follows:
global (outside) 1 78.23.45.67
global (outside) 1 interface
nat (inside) 1 192.168.128.0 255.255.255.0 dns
nat (management) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp 78.23.45.67 https 192.168.128.140 https netmask 255.255.255.255
static (inside,outside) tcp 78.23.45.67 www 192.168.128.140 www netmask 255.255.255.255
static (inside,outside) tcp 78.23.45.67 https 192.168.128.182 https netmask 255.255.255.255
static (inside,outside) tcp 78.23.45.67 5000 192.168.128.182 5000 netmask 255.255.255.255
static (inside,outside) tcp 78.23.45.67 ssh 192.168.128.140 ssh netmask 255.255.255.255
(I'm using semi-mock ip address but the configuration is the same)
07-14-2010 03:50 PM
Hello,
I think you are missing a no-nat statement that was allowing you access to your servers.
access-list nonat permit ip host
nat (inside) 0 access-list nonat
Please try the above and see if that helps.
Regards,
NT
07-14-2010 05:02 PM
That did the trick! Thanks a lot!
07-14-2010 04:44 PM
Hi Thomas,
Have you considered changing the way you are doing your NATing. Do you really need so many static NATs ?
It seems you are wanting everything that leaves your internal 192.168.128.0 , to be shown as 78.23.45.67 , when you leave the outside interface.
I would remove the statics and have another look at your Global and NAT (inside) statements.
Should make your config much simpler.
David
07-14-2010 05:10 PM
The static NATS are needed for port forwarding to different servers behind the firewall. I'm not aware of an easier way to write these rules.
07-14-2010 05:30 PM
Hi Thomas,
The static NATS are needed for port forwarding to different servers behind the firewall.
Are you wanting hosts on the outside of the network to be able to access your inside hosts via the Global address 78.23.45.67 ?
static (inside,outside) tcp 78.23.45.67 https 192.168.128.140 https netmask 255.255.255.255
...
static (inside,outside) tcp 78.23.45.67 https 192.168.128.182 https netmask 255.255.255.255
How will the firewall know which static above to send the https request to ? Maybe you need a different IP address for the other server..
David
07-14-2010 05:54 PM
Hello Thomas,
Except for one conflict in your statics (unless you did have a different IP in your real configuration and you forgot to change the IP's when you sent the configurations to us), other things look good. I am not sure if you have two web servers inside or you have a different service on the inside that needs https port. I would suggest you mapping one of those devices to a different port i.e. may be port 4443 instead of 443.
Regards,
NT
07-15-2010 09:44 AM
As you suggested Nagaraja, the conflict in the static NAT statements is because I did not correctly change the IPs when I posted the message. The real configuration looks more like this:
static (inside,outside) tcp 78.23.45.67 https 192.168.128.140 https netmask 255.255.255.255
static (inside,outside) tcp 78.23.45.67 www 192.168.128.140 www netmask 255.255.255.255
static (inside,outside) tcp 78.23.45.66 https 192.168.128.182 https netmask 255.255.255.255
static (inside,outside) tcp 78.23.45.66 5000 192.168.128.182 5000 netmask 255.255.255.255
static (inside,outside) tcp 78.23.45.67 ssh 192.168.128.140 ssh netmask 255.255.255.255
Additionally, the https traffic is split between two devices; (1) a web server and (2) a console monitor. Since we have multiple IP addresses available to us, it made sense to use the same port both on different addresses.
Thanks for your help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide