I am trying to get few of the sites connected to the main office via the VPN connection using asa 5505/5510. Also the servers on the individual sites need to have internet access of their own with their static ip. I am able to configure the site to site VPN without any issues. But as soon as i start to give assign static ip to those servers we start facing some issues. Following is the config that i have. Any help would be appreciated.
So you have couple remote sites and you have s2s VPn established betweein this sites.
You need your server to access internet and also communitcate via VPN tunel with central site right?
I don't understand what you say about assiging static IP addresses to server you start facing some problems. So your servers has DHCP IP addresses assigned and after static configuration is stop communicate woth remote site?
After these were added i was able to ping the 188.8.131.52 and any other IP address successfully but could not do the DNS resolution. The server's nic card are assigned static private address and the DNS server ip is the one provided by the ISP. Also, i checked with the ISP and they say that they are not seeing the asa 5505 arping for the DNS servers. Also all the server at remote site start having intermittent connectivity to even the internal systems located on the central site. Can you please tell me what mistake am i doing.
There should be no problem having a L2L VPN between sites and also having Static NAT configured for hosts on the remote site.
You have NAT0 configuration for the remote LAN towards the other LAN networks and the main site. This NAT0 will naturally only apply to that traffic. The Static NAT should apply for any other destination network behind the "outside" interface of the ASA other than the main site LAN networks (as NAT0 applies before Static NAT)
I am not sure what your ISP is on about with regards to ARP. That doesnt make any sense at all. Your host will certainly not ARP the ISP DNS server or the ISP DNS server would have to be located on your network directly. So I am not sure what they are on about. I am wondering if they just mean that they can't see DNS requests from your servers since the above reason doesnt make any sense at all.
When the servers have Static NAT configured you can naturally use the ASA itself to test what happens to their DNS connections
This would tell where the traffic is forwarded, if its allowed and what NAT configuration is applied to it.
What DNS servers are now configured on those servers? Are they using some internal DNS as the primary DNS or the ISP one? If they for some reason dont require an internal DNS server then you could naturally try the IP 184.108.40.206 as the primary DNS.
I just dont see why your servers would be able to use the L2L VPN and the local Internet connection at the same time.
Your attached configuration for the remote site contains an INSIDE ACL that only allows ICMP. You state above that you attach that ACL to your "inside" interface? I presume you have allowed all traffic from the LAN in the actual ACL you use? Otherwise all connections from the remote LAN would get blocked (all but ICMP)
The servers are configured with the IP address provided by the ISP for the Primary DNS. For some reason the DNS resolution does not work. I have even tried 220.127.116.11 as primary DNS on the servers and still no luck.
Also, I just noticed that following config is not there in the remote ASA. Could this be the reason?
Can't really be 100% sure without checking but DNS inspection is something that is enabled by default. I know it does check that only one DNS reply gets back to the host.
But I am also under the impression that without it you would possibly have to have a permitting statement on the ASA to allow the DNS replys back to the hosts from the external network.
Do you have any such rules permitting UDP/53 traffic from the external network with an ACL? I would imagine if this was the problem them other hosts should be suffering from DNS problems also. Unless ofcourse there is an ACL rule permitting the UDP/53 traffic to the PAT IP address shared by the internal hosts BUT NOT the public IP address configured for this Static NATed server.
I always keep the default Policy Map configuration on the ASA and modify it as needed.
Currently there is no ACL for permitting UDP/53 traffic. Also i had attached the complete config for the 2 firewalls at central and remote site when i started this discussion. So you can see that to get an idea. Also the other servers are not using DNS resolution as they are only connecting to the central site via VPN to a particular server and they are just using IP address to communicate. Nothing else.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :