Help with configuring Twice NAT from Internal Address to Internal Webserver
This is my first time posting to the Support Community, and I'm hoping some folks with more insight into the "new" NAT structures in post 8.3 can shed some light on what's going wrong with this strange configuration that's been requested of me...
Our sysadmins are decommissioning DNS zones for domains which we are not authoratative for. I understand that this is a good idea. DNS requests now go to an authoratative server via the internet, so instead of allowing direct internal communications to the webservers via our DNS and RFC1918 addressing, the communication now must route to the public (global) IP associated with our hosted webserver.
The initial problem is that we were routing everything through a Websense proxy to the internet, and that traffic was all PAT'd to the outside interface IP of 220.127.116.11 (scrubbed). If traffic would try to re-enter via the existing static NAT to the webserver (18.104.22.168 >> 192.168.2.188), I'd get denies via an IP spoof error. I determined to try PAT'ing this traffic to a new PAT IP using Twice NAT to identify the particular communication.
My configuration is below.
! Cisco Adaptive Security Appliance Software Version 9.0(x)
ip address 22.214.171.124 255.255.255.0 standby 126.96.36.199
ip address 192.168.1.254 255.255.255.0 standby 192.168.1.253
ip address 192.168.2.254 255.255.255.0 standby 192.168.2.253
ip address 172.22.16.254 255.240.0.0 standby 172.22.16.253
object network obj-src-real
subnet 192.168.1.0 255.255.255.0
object network obj-src-nat
object network obj-dst-webserver-nat
object network obj-dst-webserver-real
description Network Proxy Servers
network-object host 192.168.1.36
route outside 0.0.0.0 0.0.0.0 188.8.131.52
access-group dmz1 in interface dmz1
access-group outside in interface outside
access-list dmz1 extended permit ip object-group PROXY-SERVERS any4
The twice NAT is perplexing to me, as I can only get an xlate if I specify the mapped (outside) address twice in the destination portion of the syntax. I do not know if this is correct. I see the xlate build, no denies on the firewall, and the connections table on the firewall using the mapped (outside address) indicates a three-way handshake (saA flags), but no data passes.
The proxy logs indicate the same 504 "bad gateway" errors that I've been struggling with since the beginning.
I've attached packet traces and a diagram for reference. If anyone can help me make some sense of this, I'd be very happy. Thanks in advance.
Help with configuring Twice NAT from Internal Address to Interna
In addition to what Mikhailovsky has mentioned, keep in mind that with DNS doctoring, all traffic after DNS resolution will be sent directly to the web server real IP, so you will need to make sure that there are ACLs in place to permit such traffic.
-- Please remember to rate and select a correct answer
Please remember to rate and select a correct answer
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :