Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cannot Access DNS Server

Hello,

I am new to Cisco software and networking in general, so I appreciate any help that the community can provide.

Here's my setup:  I have a Cisco ASA firewall sitting behind a university firewall.  I am able to connect to my devices using the AnyConnect VPN software. I have set the DNS servers on the cisco device to use the university's DNS servers (ie. 140.5.6.2).  When I ping the ouside world (i.e. google.com) from the ASA CLI I get success.  But when I ping from a server behind the firewall on a local subnet (192.168.150.0/24), it fails.  The server has the DNS configured to the university IP (140.5.6.2).  Is there some rule that I need to add so the DNS queries get forwarded to the right servers (sinice it's on a different subnet)?

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Cannot Access DNS Server

Hello,

I think you are missing a no-nat statement that was allowing you access to your servers.

access-list nonat permit ip host

nat (inside) 0 access-list nonat

Please try the above and see if that helps.

Regards,

NT

11 REPLIES
Cisco Employee

Re: Cannot Access DNS Server

Hello,

Have you configured NAT rules between the interfaces where server is connected and the interface where University network is connected? Also, what is the security level of those two interfaces? You can try packet tracer to see where exactly the communication is getting dropped.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788

Hope this helps.

Regards,

NT

New Member

Re: Cannot Access DNS Server

One of my colleagues was able to fix the issue, but it wasn't an issue of the DNS not resolving the hostname.  I couldn't ping IP addresses either.  With the addition of some NAT/PAT rules, the issue is fixed.  Unfortunately, a new bug has arisen in it's place that does not allow us to ssh/ping/access our servers from an AnyConnect VPN connection.

The error we get is:

"Asymmetric NAT rules matched for forward and reverse flows...denied due to NAT reverse path failure"

Cisco Employee

Re: Cannot Access DNS Server

Hello,

I guess your colleague added a nat statement that is in conflict with the

existing NAT statement. You need to make sure that there are no overlapping

NAT statements (both nat0 and static). If possible, please post the NAT

statements you have for the servers and the NAT statement your colleague has

added. We could try to figure out the overlapping statements.

Hope this helps.

Regards,

NT

New Member

Re: Cannot Access DNS Server

Thanks, our NATs are as follows:

global (outside) 1 78.23.45.67

global (outside) 1 interface

nat (inside) 1 192.168.128.0 255.255.255.0 dns

nat (management) 101 0.0.0.0 0.0.0.0

static (inside,outside) tcp  78.23.45.67 https 192.168.128.140 https netmask 255.255.255.255

static (inside,outside) tcp  78.23.45.67 www 192.168.128.140 www netmask 255.255.255.255

static (inside,outside) tcp  78.23.45.67 https 192.168.128.182 https netmask 255.255.255.255

static (inside,outside) tcp  78.23.45.67 5000 192.168.128.182 5000 netmask 255.255.255.255

static (inside,outside) tcp  78.23.45.67 ssh 192.168.128.140 ssh netmask 255.255.255.255

(I'm using semi-mock ip address but the configuration is the same)

Cisco Employee

Re: Cannot Access DNS Server

Hello,

I think you are missing a no-nat statement that was allowing you access to your servers.

access-list nonat permit ip host

nat (inside) 0 access-list nonat

Please try the above and see if that helps.

Regards,

NT

New Member

Re: Cannot Access DNS Server

That did the trick!  Thanks a lot!

New Member

Re: Cannot Access DNS Server

Hi Thomas,

Have you considered changing the way you are doing your NATing.  Do you really need so many static NATs ?

It seems you are wanting everything that leaves your internal 192.168.128.0 , to be shown as 78.23.45.67  , when you leave the outside interface.

I would remove the statics and have another look at your Global and NAT (inside) statements.

Should make your config much simpler.

David

New Member

Re: Cannot Access DNS Server

The static NATS are needed for port forwarding to different servers behind the firewall.  I'm not aware of an easier way to write these rules.

New Member

Re: Cannot Access DNS Server

Hi Thomas,

The static NATS are needed for port forwarding to different servers behind the firewall.

Are you wanting hosts on the outside of the network to be able to access your inside hosts via the Global address 78.23.45.67 ?

static (inside,outside) tcp  78.23.45.67 https 192.168.128.140 https netmask 255.255.255.255

...

static (inside,outside) tcp  78.23.45.67 https 192.168.128.182 https netmask 255.255.255.255

How will the firewall know which static above to send the https request to ?  Maybe you need a different IP address for the other server..

David

Cisco Employee

Re: Cannot Access DNS Server

Hello Thomas,

Except for one conflict in your statics (unless you did have a different IP in your real configuration and you forgot to change the IP's when you sent the configurations to us), other things look good. I am not sure if you have two web servers inside or you have a different service on the inside that needs https port. I would suggest you mapping one of those devices to a different port i.e. may be port 4443 instead of 443.

Regards,

NT

New Member

Re: Cannot Access DNS Server

As you suggested Nagaraja, the conflict in the static NAT statements is because I did not correctly change the IPs when I posted the message.  The real configuration looks more like this:

static (inside,outside) tcp  78.23.45.67 https 192.168.128.140 https netmask 255.255.255.255

static (inside,outside) tcp  78.23.45.67 www 192.168.128.140 www netmask 255.255.255.255

static (inside,outside) tcp  78.23.45.66 https 192.168.128.182 https netmask 255.255.255.255

static (inside,outside) tcp  78.23.45.66 5000 192.168.128.182 5000 netmask 255.255.255.255

static (inside,outside) tcp  78.23.45.67 ssh 192.168.128.140 ssh netmask 255.255.255.255

Additionally, the https traffic is split between two devices; (1) a web server and (2) a console monitor.  Since we have multiple IP addresses available to us, it made sense to use the same port both on different addresses.


Thanks for your help!

1118
Views
0
Helpful
11
Replies