Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

How to do DSN doctorine on ASA5505

Hi,

One of the website does not work from inside the network with the public domain name.

The website with local ip 192.168.220.4 public ip 71.xxx.xxx.68  works fine from outside as well from inside.

The website with local ip 192.168.220.10 public ip 71.xxx.xxx.66 works fine from outside but does not work from inside the network.

After googling around I found that I have to enable DNS doctorine in order to fix the problem. When I logged into GUI the dns option is disabled and I tried it using CLI and it isgiving error message. Can someone put some light on this.

We had to convert the PIX config file to ASA using the migtation tool that is why you might see weird network object names.

___________________________________________________________________________

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.220.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 71.xxx.xxx.66 255.255.255.0

!

name 71.xxx.xxx.68 CLKSVR

object network obj-192.168.220.4
host 192.168.220.4

object network obj_any
subnet 0.0.0.0 0.0.0.0

object network CLKSVR
host 71.xxx.xxx.68
description Created during name migration    

object network obj-192.168.220.10
host 192.168.220.10


object network obj-192.168.220.10-01
host 192.168.220.10

object-group network LabNw
description  Lab Network
network-object 192.168.220.0 255.255.255.0

access-list acl_in_http extended permit tcp any host 71.xxx.xxx.66 eq www
access-list acl_in_http extended permit tcp any host 71.xxx.xxx.66 eq https
access-list acl_in_http extended permit tcp any object obj-192.168.220.10 eq www
access-list acl_in_http extended permit tcp any object obj-192.168.220.10-01 eq https

access-list inside_access_in extended permit ip any any

ip verify reverse-path interface outside

object network obj-192.168.220.4
nat (inside,outside) static 71.xxx.xxx.68 dns


object network obj_any
nat (inside,outside) dynamic interface

######### Tried DNS doctrine here but did not work ###############
object network obj-192.168.220.10
nat (inside,outside) static interface service tcp www www
object network obj-192.168.220.10-01
nat (inside,outside) static interface service tcp https https
##################################################################

access-group inside_access_in in interface inside
access-group acl_in_http in interface outside

route outside 0.0.0.0 0.0.0.0 71.xxx.xxx.1 1

policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
!


### SHOW LOG OUTPUT ###
Apr 10 2012 05:26:01: %ASA-3-710003: TCP access denied by ACL from 192.168.220.2/1241 to inside:71.xxx.xxx.66/80
Apr 10 2012 05:26:04: %ASA-3-710003: TCP access denied by ACL from 192.168.220.2/1241 to inside:71.xxx.xxx.66/80
Apr 10 2012 05:26:10: %ASA-3-710003: TCP access denied by ACL from 192.168.220.2/1241 to inside:71.xxx.xxx.66/80
#######################


######################################################
efw# packet-tracer input outside tcp 71.xxx.xxx.66 www 192.168.220.10 www $

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.220.0   255.255.255.0   inside

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   71.xxx.xxx.66   255.255.255.255 identity

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (rpf-violated) Reverse-path verify failed
#######################################################

Message was edited by: Sanjiv

419
Views
0
Helpful
0
Replies
CreatePlease to create content