01-03-2012 09:52 AM - edited 03-04-2019 02:48 PM
We have a website inside our private network listed as a different domain from our AD(AD=Company.local, Website=CompanySupplyCorp.com). If I do an Nslookup internally, it resolves to its public IP address, this has worked fine all along, but some some reason recently this has stopped working and the browser errors out. From outside the company the url gets translated to the public ip and is nat'ed in our fire wall to our private ip and the website works fine.
If a do a tracert(trace route) from our layer 3 switch on the IP, the route dies on the inside interface of our edge router???
I have modified my local hosts file to point to the privare IP, and it works, but I have 250 systems and this is a bandaid not a solution
Does anyone have any thoughts or recomendations to resolve this.
Not sure if this needs a route to be added, or if DNS could better resolve.
Solved! Go to Solution.
01-04-2012 11:53 AM
Hi Dan,
Not quite sure why the DNS doctoring failed in this scenario (unless the public DNS hosting is inside). I guess 192.10.10.x is directly connected to ASA (as there is no route statement). You may try packet trace from ASA based on the Version.
packet-tracer input [src_int ] protocol src_addr src_port dest_addr dest_port
Or lets wait and see if experts can provide a quick solution. For your reference here is the dns doctoring doc..
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml
Thx
MS
01-03-2012 10:04 AM
Can you please post your firewall config ?
Thanks
Ajay
01-03-2012 12:14 PM
Public IP is 64.80.238.209
Private is 192.10.10.16
access-list access_in extended deny tcp any host 66.153.88.141 eq citrix-ica inactive
access-list access_in extended permit tcp any host 64.80.238.209 eq www
access-list access_in extended permit tcp host 12.19.61.34 host 66.153.88.140 eq ssh
access-list access_in extended permit tcp host 65.210.205.254 host 66.153.88.140 eq ssh
access-list access_in extended permit tcp host 65.210.205.209 host 66.153.88.140 eq ssh
access-list access_in extended permit tcp host 66.199.131.184 host 64.80.238.210 eq 9080
access-list access_in extended permit tcp host 66.199.131.187 host 64.80.238.210 eq 9080
access-list access_in extended permit tcp host 66.199.131.189 host 64.80.238.210 eq 9080
access-list access_in extended permit tcp host 66.199.131.134 host 64.80.238.210 eq 9080
access-list access_in extended permit tcp host 64.254.146.163 host 64.80.238.210 eq 9080
access-list access_in extended permit tcp any host 64.80.238.211 eq imap4
access-list access_in extended permit tcp any host 64.80.238.211 eq smtp
access-list access_in extended permit udp any any eq ntp
access-list access_in remark kamcomail - web-based mail unsecured
access-list access_in extended permit tcp any host 64.80.238.211 eq https
access-list access_in remark kamcomail
access-list access_in extended permit tcp any host 64.80.238.211 eq www inactive
access-list access_in extended permit tcp host 216.208.163.66 host 66.153.88.142 eq 3389
access-list access_in extended permit tcp host 70.28.55.129 host 66.153.88.142 eq 3389
access-list access_in extended permit tcp host 99.236.135.59 host 66.153.88.142 eq 3389
access-list access_in extended permit tcp any host 66.153.88.141 eq smtp
access-list 108 extended permit ip 192.10.0.0 255.255.0.0 10.99.99.0 255.255.255.0
access-list 108 extended permit ip 192.10.0.0 255.255.0.0 192.10.90.0 255.255.255.0
access-list 108 extended permit ip 192.10.10.0 255.255.255.0 10.99.99.0 255.255.255.128
access-list kamcovpn_splitTunnelAcl standard permit 192.10.10.0 255.255.255.0
access-list kamcovpn_splitTunnelAcl standard permit 192.10.0.0 255.255.0.0
access-list dmz_in extended permit icmp any any
access-list dmz_in extended deny ip any 192.10.10.0 255.255.255.0
access-list dmz_in extended permit ip any any
access-list wccpserver extended permit ip host 192.10.10.83 any
access-list acl_websense extended deny tcp host 192.10.10.70 any eq https
access-list acl_websense extended deny tcp host 192.10.10.70 any eq www
access-list acl_websense extended deny tcp host WebsenseWEB_C_Interface any eq https
access-list acl_websense extended deny tcp host WebsenseWEB_C_Interface any eq www
access-list acl_websense extended deny tcp host 192.10.10.83 any eq https
access-list acl_websense extended deny tcp host 192.10.10.83 any eq www
access-list acl_websense extended deny tcp host 192.10.10.84 any eq https
access-list acl_websense extended deny tcp host 192.10.10.84 any eq www
access-list acl_websense extended deny tcp host 192.10.10.85 any eq https
access-list acl_websense extended deny tcp host 192.10.10.85 any eq www
access-list acl_websense extended deny tcp any host 64.80.238.209 log
access-list acl_websense extended deny tcp any host 192.10.10.16 log
access-list acl_websense extended permit tcp any any eq www log
access-list acl_websense extended permit tcp any any eq https log
access-list acl_websense extended deny ip any any log
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool kamcopool 10.99.99.10-10.99.99.100
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list 108
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.10.10.59 3389 netmask 255.255.255.255
static (inside,outside) 66.153.88.140 192.10.10.15 netmask 255.255.255.255
static (inside,outside) 64.80.238.210 192.10.10.17 netmask 255.255.255.255
static (inside,outside) 64.80.238.211 192.10.10.24 netmask 255.255.255.255
static (inside,outside) 66.153.88.141 192.10.10.85 netmask 255.255.255.255
static (inside,outside) 64.80.238.209 192.10.10.16 netmask 255.255.255.255
access-group access_in in interface outside
access-group dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 66.153.88.137 1
route inside 192.10.11.0 255.255.255.0 192.10.10.254 1
route inside 192.10.20.0 255.255.255.0 192.10.10.254 1
route inside 192.10.30.0 255.255.255.0 192.10.10.254 1
route inside 192.10.40.0 255.255.255.0 192.10.10.254 1
route inside 192.10.41.0 255.255.255.0 192.10.10.254 1
route inside 192.10.50.0 255.255.255.0 192.10.10.254 1
route inside 192.10.51.0 255.255.255.0 192.10.10.254 1
route inside 192.10.60.0 255.255.255.0 192.10.10.254 1
route inside 192.10.61.0 255.255.255.0 192.10.10.254 1
route inside 192.10.70.0 255.255.255.0 192.10.10.254 1
route inside 192.10.80.0 255.255.255.0 192.10.10.254 1
route inside 192.10.81.0 255.255.255.0 192.10.10.254 1
01-03-2012 01:28 PM
Have you tried by enabing dns doctoring?
static (inside,outside) 64.80.238.209 192.10.10.16 netmask 255.255.255.255 dns
Or no configuration changes done at all on ASA and suddenly stopped working?
Thx
MS
01-03-2012 01:46 PM
I have not made aby changes and it stopped working.
Should I try DNS doctoring?
01-03-2012 02:02 PM
Yes (during maintenance window).
Thx
MS
01-03-2012 02:08 PM
I added that as a Static NAT rule with the DNS
***static (inside,outside) 64.80.238.209 192.10.10.16 netmask 255.255.255.255 dns***
and there was no change. Still timing out trying to get to the edge.
01-03-2012 02:17 PM
Thanks for the update. Can you try to clear the existing translation for 192.10.10.16 (clear xlate local 192.168.10.16) and see if that makes any difference? Also, can you access the website by ip (than dns name)?
Thx
MS
01-04-2012 07:06 AM
So you want me to clear the NAT translation?
*** static (inside,outside) 192.10.10.16 64.80.238.209 netmask 255.255.255.255***
1. This will shut down outside traffic from coming in, which I could do quickly?
In regards to hitting the site internally I can by modifying the local hosts file, unfortunately this would be a nightmare to maintain on hundreds of pc's, and our DNS server is getting its A record from our provider(public IP) which is the correct domain
Hosts file
****192.10.10.16 kamcosupplycorp.com****
01-04-2012 10:04 AM
Hi Dan,
Not the static NAT translation rule in ASA but the xlate (do show xlate | include 192.168.10.16) you will find it. Yes, it will disconnect the sessions momentarily but shold reestablish quickly. The only reason I asked you for this was, may be the old translation still holding even after adding the dns doctoring (but not quite sure if you really need to clear xlate when you add 'dns' keyword).
Thx
MS
01-04-2012 10:59 AM
Did the following and still no luck.
ASA# clear xlate local 192.10.10.16
ASA# show xlate | include 192.10.10.16
Global 64.80.238.209 Local 192.10.10.16
Global 192.10.10.16 Local 64.80.238.209
01-04-2012 11:53 AM
Hi Dan,
Not quite sure why the DNS doctoring failed in this scenario (unless the public DNS hosting is inside). I guess 192.10.10.x is directly connected to ASA (as there is no route statement). You may try packet trace from ASA based on the Version.
packet-tracer input [src_int ] protocol src_addr src_port dest_addr dest_port
Or lets wait and see if experts can provide a quick solution. For your reference here is the dns doctoring doc..
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml
Thx
MS
01-04-2012 12:19 PM
Well if I do an nslookup internally I resolve to our public IP. If I go to our DNS server and look for the public IP it is in the Cache. If I flush the Cache when I go to a browser and browse to our website, it just goes back out to our providers DNS servers and gets the public IP again. I'll take a closer look at the DNS doctoring document.
01-04-2012 01:23 PM
Looks like the document is geared for 7.2, and it looks like we are using 6.2.
Following the document it looks similar to our NAT rules section, and just edit the existing rule and check off DNS, previousely I was adding an existing NAT rule, but I tried what the document said and I did not get any results.
01-04-2012 05:53 PM
Why not add an A record internally for its private address and be done with it?
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide