We have 4 servers in remote site and only 2 need to have public static ip to go out to the internet. To achieve this i did add the following statements to remote site asa 5505.

static (inside,outside) 2.2.2.51 192.168.168.51 netmask 255.255.255.255

static (inside,outside) 2.2.2.52 192.168.168.52 netmask 255.255.255.255

access-list outside extended permit icmp any any

access-list outside extended permit ip any any

access-group outside in interface outside

access-group inside in interface inside

After these were added i was able to ping the 4.2.2.2 and any other IP address successfully but could not do the DNS resolution. The server's nic card are assigned static private address and the DNS server ip is the one provided by the ISP. Also, i checked with the ISP and they say that they are not seeing the asa 5505 arping for the DNS servers.  Also all the server at remote site start having intermittent connectivity to even the internal systems located on the central site. Can you please tell me what mistake am i doing.

Thanks

Chets

Hi,

There should be no problem having a L2L VPN between sites and also having Static NAT configured for hosts on the remote site.

You have NAT0 configuration for the remote LAN towards the other LAN networks and the main site. This NAT0 will naturally only apply to that traffic. The Static NAT should apply for any other destination network behind the "outside" interface of the ASA other than the main site LAN networks (as NAT0 applies before Static NAT)

I am not sure what your ISP is on about with regards to ARP. That doesnt make any sense at all. Your host will certainly not ARP the ISP DNS server or the ISP DNS server would have to be located on your network directly. So I am not sure what they are on about. I am wondering if they just mean that they can't see DNS requests from your servers since the above reason doesnt make any sense at all.

When the servers have Static NAT configured you can naturally use the ASA itself to test what happens to their DNS connections

packet-tracer input inside udp 192.168.168.51 12345 53

packet-tracer input inside udp 192.168.168.52 12345 53

This would tell where the traffic is forwarded, if its allowed and what NAT configuration is applied to it.

What DNS servers are now configured on those servers? Are they using some internal DNS as the primary DNS or the ISP one? If they for some reason dont require an internal DNS server then you could naturally try the IP 8.8.8.8 as the primary DNS.

I just dont see why your servers would be able to use the L2L VPN and the local Internet connection at the same time.

Your attached configuration for the remote site contains an INSIDE ACL that only allows ICMP. You state above that you attach that ACL to your "inside" interface? I presume you have allowed all traffic from the LAN in the actual ACL you use? Otherwise all connections from the remote LAN would get blocked (all but ICMP)

- Jouni

The servers are configured with the IP address provided by the ISP for the Primary DNS. For some reason the DNS resolution does not work. I have even tried 8.8.8.8 as primary DNS on the servers and still no luck.

Also, I just noticed that following config is not there in the remote ASA. Could this be the reason?

-------------------------------------------------------------------

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 2000

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

  inspect icmp error

  inspect ip-options

!

service-policy global_policy global

-----------------------------------------------------------------------

Thanks

Chetan

Hi,

Can't really be 100% sure without checking but DNS inspection is something that is enabled by default. I know it does check that only one DNS reply gets back to the host.

But I am also under the impression that without it you would possibly have to have a permitting statement on the ASA to allow the DNS replys back to the hosts from the external network.

Do you have any such rules permitting UDP/53 traffic from the external network with an ACL? I would imagine if this was the problem them other hosts should be suffering from DNS problems also. Unless ofcourse there is an ACL rule permitting the UDP/53 traffic to the PAT IP address shared by the internal hosts BUT NOT the public IP address configured for this Static NATed server.

I always keep the default Policy Map configuration on the ASA and modify it as needed.

- Jouni

Hi Jouni,

Currently there is no ACL for permitting UDP/53 traffic. Also i had attached the complete config for the 2 firewalls at central and remote site when i started this discussion. So you can see that to get an idea. Also the other servers are not using DNS resolution as they are only connecting to the central site via VPN to a particular server and they are just using IP address to communicate. Nothing else.

Thanks for your help.

Chets