ASA 5510 - DNS issue

[ndinc]

Hello all.

I am working on a ASA 5510 after downgrading it to 8.2 from 8.3, no time to learn a new trick.

Everthing seems to be working except I cannot ping to a DNS server 68.4.16.30 on a workstation with a static at 10.1.1.4, but I can ping the dns from within the ASA.

Go figure, I must be missing something.

Any help would be much apreciated.

Scrubbed Config....(Non Production, I see other errors I must fix well), Alot of cut and pasting..


mullervpn# sh run
: Saved
:
ASA Version 8.2(2)
!
hostname mullervpn
domain-name domain.com
names
dns-guard
!
interface Ethernet0/0
speed 100
duplex full
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif outside
security-level 0
ip address 207.X.X.129 255.255.255.224
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup management
dns server-group DefaultDNS
name-server 68.4.16.30
name-server 68.6.16.30
domain-name themullercompany.com
access-list outside_access_in extended permit tcp any host 207.X.X.132 eq smtp
access-list outside_access_in extended permit tcp any host 207.X.X.132 eq www
access-list outside_access_in extended permit tcp any host 207.X.X.132 eq pop3
access-list outside_access_in extended permit tcp any host 207.X.X.124 eq 3389
access-list outside_access_in extended permit tcp any host 207.X.X.133 eq 3389
access-list outside_access_in extended permit tcp any host 207.X.X.134 eq 3389
access-list outside_access_in extended permit tcp any host 207.X.X.135 eq 3389
access-list outside_access_in extended permit tcp any host 207.X.X.136 eq 3389
access-list outside_access_in extended permit tcp any host 207.X.X.137 eq 3389
access-list outside_access_in extended permit tcp any host 207.X.X.138 eq 3389
access-list outside_access_in extended permit tcp any host 207.X.X.139 eq 3389
access-list outside_access_in extended permit tcp any host 207.X.X.140 eq 3389
access-list outside_access_in extended permit tcp any host 207.X.X.141 eq 3389
pager lines 24
logging enable
logging timestamp
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (outside) 2 207.X.X.132
global (outside) 3 207.X.X.124
nat (inside) 3 10.1.1.4 255.255.255.255
nat (inside) 2 10.1.1.10 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 207.X.X.132 smtp 10.1.1.10 smtp netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.132

http://www 10.1.1.10

http://www netmask

255.255.255.255
static (inside,outside) tcp 207.X.X.132 pop3 10.1.1.10 pop3 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.133 3389 10.1.1.53 3389 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.134 3389 10.1.1.56 3389 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.135 3389 10.1.1.57 3389 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.136 3389 10.1.1.50 3389 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.137 3389 10.1.1.62 3389 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.138 3389 10.1.1.61 3389 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.139 3389 10.1.1.15 3389 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.140 3389 10.1.1.60 3389 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.141 3389 10.1.1.63 3389 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.142 3389 10.1.1.66 3389 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.124 3389 10.1.1.4 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 207.X.X.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.5.5.0 255.255.255.0 inside
http 207.X.X.19 255.255.255.255 management
http 207.X.X.13 255.255.255.255 management
http 207.X.X.13 255.255.255.255 outside
http 207.X.X.19 255.255.255.255 outside
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.5.5.0 255.255.255.0 inside
ssh 207.X.X.19 255.255.255.255 outside
ssh 207.X.X.13 255.255.255.255 outside
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 152.2.21.1 source outside
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect http
inspect pptp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e541bedcceb1ee3f18626fa9f154877c
: end
mullervpn#


Thanks for your help

 

[unclerico]

add inspect icmp to the global_policy

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[ndinc]

it worked.

Just to add to it.

when i used one of these internal ip's (below) it still does not work, but when I use a non Global 10.1.1.123 it works fine...

lobal (outside) 2 207.X.X.132
global (outside) 3 207.X.X.124
nat (inside) 3 10.1.1.4 255.255.255.255
nat (inside) 2 10.1.1.10 255.255.255.255



Thanks for your help

 

[PScottC]

global (outside) 2 207.X.X.132
global (outside) 3 207.X.X.124
nat (inside) 3 10.1.1.4 255.255.255.255
nat (inside) 2 10.1.1.10 255.255.255.255

Do this:
static (inside,outside) 207.x.x.132 10.1.1.10
static (inside,outside) 207.x.x.124 10.1.1.4

Doing Global/Nat statements with a /32 looks good on paper, but it doesn't work.

PSC
[—] CCNP (R&S/Wireless) [•] CCSP [•] MCITP: Enterprise Admin [•] MCSE [—]

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[NetRx]

If that doesn't work, could you try the following and post the results:

packet-tracer input inside icmp 10.1.1.4 8 0 68.4.16.30
debug icmp trace
Try ping again from host

 

[ndinc]

I seem to be having NAT translation problems with the config above. Everything resolves to the outside interface .129 and all the other ports dont allow traffic. I had to pull it off line Friday night and put back the old firewall. I am used to ASA 5505 with only a few Vlans, I am missing something with the 5510? I have been comparing notes on my other 10 firewalls and its a head scratcher. Got the ASA book out as well.

I had to remove these statements just to get these server to have internet. a

http://www.whatismyip.com

tells me its from the .129 NAT address.

lobal (outside) 2 207.X.X.132
global (outside) 3 207.X.X.124
nat (inside) 3 10.1.1.4 255.255.255.255
nat (inside) 2 10.1.1.10 255.255.255.255


Thanks for your help

 

[NetRx]

Sorry to hear that. Your config looks good but I might be overlooking something. For what it's worth, we have lots of one-to-one translations with nat (inside) and global (outside) and haven't had any issues.

You need to setup logging to level 7 and dump it to a syslog server or to the buffer. This link

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_syslog.html#wp1110858

and the commands I referenced earlier are a start. Let us know if you need assistance. Good luck.

 

[PScottC]

You need to clear the ARP cache on the upstream router. This is a common issue with ISP routing devices. The cache timer is often set to 24+ hours.

Also, your Global 2 and Global 3 statements conflict with some of your static NATs.

PSC
[—] CCNP (R&S/Wireless) [•] CCSP [•] MCITP: Enterprise Admin [•] MCSE [—]

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[NetRx]

As far as I know, you can have overlapping global and static NATs using the same IP. Lots of environments use this if they only have one public IP address to work with. Even a Linksys router, using only one address, has a variation of static PAT (port forwarding) combined with regular PAT on the inside.

The ASA NAT order of operations will process any static first then proceed to NAT statements. In this case, if we focus on 10.1.1.4, there is no explicit match for ICMP traffic in a static command. So the ASA moves to the next closest matching NAT statement which is "nat (inside) 3 10.1.1.4 255.255.255.255."

Ndinc: make sure you run a 'clear xlate' whenever you make changes involving a NAT command or a switch from NAT to static and vice versa.

 

[PScottC]

Aren't NAT matches applied in order? i.e. Global/NAT 1 is tried before Global/NAT 2. Hence NAT0 has highest priority and is used for No NAT. Maybe there's an ordering issue here?

PSC
[—] CCNP (R&S/Wireless) [•] CCSP [•] MCITP: Enterprise Admin [•] MCSE [—]

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[NetRx]

Regular NAT is not applied in order. Regular NAT--referring to statements like 'nat (inside) 1'--is processed by best match, like an ACL. So if you have a internal host with an IP of 10.0.0.1/24 with these statements:

nat (inside) 1 10.0.0.0 255.0.0.0
nat (inside) 2 10.0.0.0 255.255.255.0

Statement #2 will be used because of the more specific prefix length. Nat 0 is the king though. There is some good info here about NAT ordering:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html#wp1079279

 

[NetRx]

I wish you could edit posts here...I meant to say 'processed by best match, like a routing table.' Hope you caught my drift either way.

 

[ndinc]

Thanks for the input guys.

I have taken the 5510 off line and I have it back in the lab, I will clear the arp cache at the core and bring it back on line briefly to test the arp cache theory.

If its not successfull I will re assign the network to another class c block that isnt being used. Unfortunately I will have to re program this network segment(more work). After this installed and working the next step is the Remote VPN configuration and deployment. So its putting me a bit behind schedule.

Its too bad as I thought I had this down after 10 or 12 ASA 5505 installs, upgrading IOS, and working with the new ASDM adding and delete over the past few months without any issues. I really hope this is a simple arp cache problem as I will feel a bit better about my ASA skills. I have been comparing my past configs to this 5510 and i cannot find a major anomaly that stands out...

I will keep you posted.

I sure appreciate the extra "weekend" help from you guys!

Thanks for your help