Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
826
Views
0
Helpful
2
Replies

Help with internal DNS trouble

Javier Gozalo Luengo
Level 1
Level 1

‎08-14-2012 09:41 AM - edited ‎03-11-2019 04:42 PM

Hello, I´m Javier from Spain

I have a strange issue with my new ASA 5512 and my corporate DNS servers.

my lan net is 172.15.0.0 /16, the default gateway is the INTERNAL ASA IP 172.15.10.69. and the DNS servers (172.20.10.10 and 172.20.10.20) are located in another building connected throw a peer to peer connection

this is my problem, with this configuration, I CAN successfully PING any host I need, other hosts in my lan, hosts in 172.20.0.0 /16, my DNS servers, and any host or web in internet

But the DNS servers are not responding my DNS queries, so I CANNOT ping www.cisco.com.

if I set my defaut gateway as 172.15.10.250, with the same coroprate DNS servers( 172.20.10.10 and .20), I CAN ping www.cisco.com, and if I set my defaut gateway as 172.15.10.69 and use the google DNS (8.8.8.8 and 8.8.4.4) I can ping www.cisco.com

as you can see in the picture, to reach the 172.20.0.0 /16 from the ASA, the information goes to the ASA throw the INTERNAL interface, and then goes to the 172.15.10.250 leaving the ASA throw the INTERNAL interface

I think i have here an assimetric routing, because I am not natting the traffic destined to the 172.20.0.0 /16, and then, when the traffic come back, when it arrived to the ISP router, the destination IP address will be 172.15.20.44, and not 172.15.10.69, so the traffic will go throw different way when go from 172.20.0.0 to 172.15.0.0

You can find attached a txt file with the show running at the ASA, and a picture with the network topology.

I will really appreciate any help, I´m very stuck with this.

I apologize for my English.

Javier

Labels:
Preview file
1361 KB
133325-SH RUN.txt.zip
0 Helpful
2 Replies 2

Ramraj Sivagnanam Sivajanam
Level 4
Level 4

‎08-17-2012 11:43 AM

Hi Bro

This is not a strange issue, this is a network design problem indeed. This network design is badly done. Anyhow, please make the config changes as shown below, and let me know how it goes;

no nat (INTERNAL,INTERNAL) source static NETWORK_OBJ_172.20.0.0_24 NETWORK_OBJ_172.20.0.0_24 no-proxy-arp route-lookup
no nat (INTERNAL,INTERNAL) source static any any no-proxy-arp route-lookup

no object network 172.20.0.0_INTERNAL
no object network 172.15.0.0_INTERNAL

no access-group INET_OUT out interface INET
no access-group INET_OUT out interface INTERNAL

However, the best way here is, to perform static NAT on the Router that holds the IP Address 172.15.10.250, as shown below;

ip nat inside source static 172.15.10.10 172.20.10.10

ip nat inside source static 172.15.10.20 172.20.10.20

Note: This is assuming no one is using 172.15.10.10 and 172.15.10.20

All the workstations in 172.15.XXX.XXX/16 will have their DNS pointing to 172.15.10.10 and 172.15.10.20.

This will resolve your DNS issue.

With regards to your design, I would rather place the FW in transparent mode sitting in between the Router and the LAN (Proposed Network Design - by Ramraj.jpg), then to have it routed mode, as shown in your diagram.

Warm regards,
Ramraj Sivagnanam Sivajanam
Preview file
45 KB
0 Helpful

Javier Gozalo Luengo
Level 1
Level 1
In response to Ramraj Sivagnanam Sivajanam

‎08-18-2012 06:26 AM

Thanks, I´ll check it out next monday.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card