Solved

Help troubleshooting NAT entry (with DNS doctoring)

Posted on 2010-11-23
5
698 Views
Last Modified: 2012-05-10
I have the following entries for a 1:1 NAT statement, that sits on a hosted firewall upstream from us:

access-list outside_acl extended permit tcp any host 74.85.0.202 eq ssh
access-list outside_acl extended permit tcp any host 74.85.0.202 eq www
access-list outside_acl extended permit tcp any host 74.85.0.202 eq https
access-list outside_acl extended permit icmp any host 74.85.0.202 echo-reply
access-list outside_acl extended permit icmp any host 74.85.0.202 echo
access-list outside_acl extended permit tcp any host 74.85.0.202 eq 3306
static (inside,outside) 74.85.0.202 10.102.84.15 netmask 255.255.255.255 dns

Open in new window


we manage the DNS servers for our company, and in the primary DNS zone, I have a simple "A" record for a FQDN to point to the above static IP, 74.85.0.202

test.abc.com.           	900     IN	A       74.85.0.202

Open in new window


so we can access this FQDN internally, in the office, we have to have the "DNS doctoring" statement in order to properly resolve the FQDN back to the private IP.

the only thing that changed over the weekend is, we have a managed-ethernet/EoC connection that utilizes a Hatteras device, and that device failed this weekend. Yesterday we had it replaced, and now we are back to using the EoC connection. That's it.

I verified w/ the hosting company that the DNS doctoring keyword does exist, as you can see by the statements posted above.

I'm at a loss why this isn't working now. any ideas where to check and/or how to resolve?

I can ping this box from our datacenter, by hostname.

64 bytes from 74.85.0.202: icmp_seq=1 ttl=54 time=10.1 ms

Open in new window


internally pinging the hostname resolves back to 10.102.84.15; trying to resolve FQDN through browser though just dies
0
Comment
Question by:kapshure
  • 3
  • 2
5 Comments
 
LVL 4

Accepted Solution

by:
patterned earned 500 total points
Comment Utility
When you manually put that private address in the browser address bar, what happens?

If you can ping via hostname, this isn't a DNS issue, and what I previously alluded to will not work either.

You did not say if the internal pinging was successful or not.  I'll assume it was...
Is there a firewall in between the devices?
VLANs?
Is the box running the web server have port 80 open?
etc, etc.
0
 

Author Comment

by:kapshure
Comment Utility
it was the latter! dev issue! i ran nmap on it saw that 80/443 wasn't open. hopped on the box, did a
ps - ef | grep httpd 

Open in new window


and confirmed..  checked also with
netstat -at | grep 80

Open in new window

and
netstat -at | grep 443

Open in new window

.. no dice!

started httpd, bam.

/sigh.

thanks though!
0
 

Author Closing Comment

by:kapshure
Comment Utility
dev's hadn't started httpd!
0
 
LVL 4

Expert Comment

by:patterned
Comment Utility
I love when I forget the dumb things.  Just a little nudge is all you needed.


Damn devs! ;)
0
 

Author Comment

by:kapshure
Comment Utility
yeh, i just assumed they had their sh!t together. "ass-u-me" DOH!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now