Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

HELP!! Can not connect web server after DNS doctoring..

Dear All,

I have ASA 5510 version 8.2(5).

Network topology is following:

localnet  - 192.168.0.0/24

Servers - 192.168.1.0/24

Outside network.

www server has an address 192.168.1.1 and static NAT to public address 10.10.10.2

problem - client can not connect to server from localnet network.

I Use this document:

Perform DNS Doctoring with the static Command and Three NAT Interfaces Configuration Example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

after configuring when I try to ping web server from asa

write: ping www.some.com it returns echo reply correct, from private address... but I can not receive echo answer, when I try  to ping server from client pc (local network)...

here is my config:

hostname gw1

domain-name goletiani.ge

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 0p/CqCPqhGpaiy.f encrypted

names

name 10.10.10.2 www.some.com

!

interface Ethernet0/0

duplex full

nameif outside

security-level 10

ip address 10.10.10.1 255.255.255.24

!

interface Ethernet0/1

duplex full

nameif localnet

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Ethernet0/2

duplex full

nameif servers

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/3

duplex full

nameif others

security-level 100

ip address 192.168.25.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 11.19.78.1 255.255.255.0

management-only

!

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 213.157.196.132

name-server 213.157.196.131

object-group service piblicInternetServices tcp

port-object eq 465

port-object eq 995

port-object eq www

port-object eq https

port-object eq pop3

port-object eq smtp

object-group service sipPublic tcp-udp

port-object eq sip

object-group service spiAllPublic udp

group-object sipPublic

port-object range 10000 20000

access-list admin_splitTunnelAcl standard permit 11.19.78.0 255.255.255.0

access-list localnet_nat0_outbound extended permit ip 11.19.78.0 255.255.255.0 11.19.200.0 255.255.255.240

access-list outside_access_in extended permit tcp any host 10.10.10.2 object-group piblicInternetServices

access-list outside_access_in extended permit icmp any 10.10.10.0 255.255.255.248

access-list outside_access_in extended permit ip any 10.10.10.0 255.255.255.248

access-list servers_access_in extended permit ip 192.168.1.0 255.255.255.0 any

access-list servers_access_in extended permit icmp 192.168.1.0 255.255.255.0 any

access-list others_access_in extended permit ip 192.168.25.0 255.255.255.0 any

access-list localnet_access_in extended permit ip 192.168.0.0 255.255.255.0 any

access-list localnet_access_in extended permit icmp 192.168.0.0 255.255.255.0 any

access-list others-limit-traffic extended permit ip 192.168.25.0 255.255.255.0 any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu localnet 1500

mtu servers 1500

mtu others 1500

mtu management 1500

ip local pool AdminPool 11.19.200.2-11.19.200.14 mask 255.255.255.240

ip local pool Remote_Services 11.19.205.1-11.19.205.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (localnet) 0 access-list localnet_nat0_outbound

nat (localnet) 1 192.168.0.0 255.255.255.0

nat (others) 1 192.168.25.0 255.255.255.0

static (servers,outside) 10.10.10.3 sip.some.com netmask 255.255.255.255

static (servers,outside)10.10.10.2 www.some.com netmask 255.255.255.255 dns

access-group outside_access_in in interface outside

access-group localnet_access_in in interface localnet

access-group servers_access_in in interface servers

access-group others_access_in in interface others

route outside 0.0.0.0 0.0.0.0 212.72.141.81 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

http server enable

http 11.19.78.0 255.255.255.0 management

http 10.10.10.0 255.255.255.0 servers

http 192.168.0.0 255.255.255.0 localnet

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 11.19.200.0 255.255.255.240 management

telnet timeout 5

ssh 192.168.0.0 255.255.255.0 localnet

ssh 11.19.11.0 255.255.255.0 servers

ssh timeout 15

console timeout 0

dhcpd dns 213.157.196.132 213.157.196.131

dhcpd lease 1800

!

dhcpd address 192.168.0.222-192.168.0.254 localnet

dhcpd dns 213.157.196.132 213.157.196.131 interface localnet

dhcpd enable localnet

!

dhcpd address 192.168.25.2-192.168.25.179 others

dhcpd dns 213.157.196.132 213.157.196.131 interface others

dhcpd enable others

!

dhcpd address 11.19.78.2-11.19.78.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

group-policy admin internal

group-policy admin attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value admin_splitTunnelAcl

username root password Xriu58Vv0BnOxFPD encrypted

tunnel-group admin type remote-access

tunnel-group admin general-attributes

address-pool AdminPool

default-group-policy admin

tunnel-group admin ipsec-attributes

pre-shared-key *****

!

class-map others-limit-traffic

match access-list others-limit-traffic

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map others-limit-traffic

class others-limit-traffic

  police input 20000 1500

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

service-policy others-limit-traffic interface others

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:10cf8cf0872531a1b572297712f944f5

: end

what's wrong?

Everyone's tags (3)
805
Views
0
Helpful
0
Replies
CreatePlease to create content