I have a strange issue with my new ASA 5512 and my corporate DNS servers.
my lan net is 220.127.116.11 /16, the default gateway is the INTERNAL ASA IP 18.104.22.168. and the DNS servers (172.20.10.10 and 172.20.10.20) are located in another building connected throw a peer to peer connection
this is my problem, with this configuration, I CAN successfully PING any host I need, other hosts in my lan, hosts in 172.20.0.0 /16, my DNS servers, and any host or web in internet
But the DNS servers are not responding my DNS queries, so I CANNOT ping www.cisco.com.
if I set my defaut gateway as 22.214.171.124, with the same coroprate DNS servers( 172.20.10.10 and .20), I CAN ping www.cisco.com, and if I set my defaut gateway as 126.96.36.199 and use the google DNS (188.8.131.52 and 184.108.40.206) I can ping www.cisco.com
as you can see in the picture, to reach the 172.20.0.0 /16 from the ASA, the information goes to the ASA throw the INTERNAL interface, and then goes to the 220.127.116.11 leaving the ASA throw the INTERNAL interface
I think i have here an assimetric routing, because I am not natting the traffic destined to the 172.20.0.0 /16, and then, when the traffic come back, when it arrived to the ISP router, the destination IP address will be 18.104.22.168, and not 22.214.171.124, so the traffic will go throw different way when go from 172.20.0.0 to 126.96.36.199
You can find attached a txt file with the show running at the ASA, and a picture with the network topology.
I will really appreciate any help, I´m very stuck with this.
This is not a strange issue, this is a network design problem indeed. This network design is badly done. Anyhow, please make the config changes as shown below, and let me know how it goes;
no nat (INTERNAL,INTERNAL) source static NETWORK_OBJ_172.20.0.0_24 NETWORK_OBJ_172.20.0.0_24 no-proxy-arp route-lookup no nat (INTERNAL,INTERNAL) source static any any no-proxy-arp route-lookup
no object network 172.20.0.0_INTERNAL no object network 188.8.131.52_INTERNAL
no access-group INET_OUT out interface INET no access-group INET_OUT out interface INTERNAL
However, the best way here is, to perform static NAT on the Router that holds the IP Address 184.108.40.206, as shown below;
ip nat inside source static 220.127.116.11 172.20.10.10
ip nat inside source static 18.104.22.168 172.20.10.20
Note: This is assuming no one is using 22.214.171.124 and 126.96.36.199
All the workstations in 172.15.XXX.XXX/16 will have their DNS pointing to 188.8.131.52 and 184.108.40.206.
This will resolve your DNS issue.
With regards to your design, I would rather place the FW in transparent mode sitting in between the Router and the LAN (Proposed Network Design - by Ramraj.jpg), then to have it routed mode, as shown in your diagram.
Ramraj Sivagnanam Sivajanam
Technical Specialist/Service Delivery Manager – Managed Service Department
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...