?
Solved

Help troubleshooting NAT entry (with DNS doctoring)

Posted on 2010-11-23
5
Medium Priority
?
704 Views
Last Modified: 2012-05-10
I have the following entries for a 1:1 NAT statement, that sits on a hosted firewall upstream from us:

access-list outside_acl extended permit tcp any host 74.85.0.202 eq ssh
access-list outside_acl extended permit tcp any host 74.85.0.202 eq www
access-list outside_acl extended permit tcp any host 74.85.0.202 eq https
access-list outside_acl extended permit icmp any host 74.85.0.202 echo-reply
access-list outside_acl extended permit icmp any host 74.85.0.202 echo
access-list outside_acl extended permit tcp any host 74.85.0.202 eq 3306
static (inside,outside) 74.85.0.202 10.102.84.15 netmask 255.255.255.255 dns

Open in new window


we manage the DNS servers for our company, and in the primary DNS zone, I have a simple "A" record for a FQDN to point to the above static IP, 74.85.0.202

test.abc.com.           	900     IN	A       74.85.0.202

Open in new window


so we can access this FQDN internally, in the office, we have to have the "DNS doctoring" statement in order to properly resolve the FQDN back to the private IP.

the only thing that changed over the weekend is, we have a managed-ethernet/EoC connection that utilizes a Hatteras device, and that device failed this weekend. Yesterday we had it replaced, and now we are back to using the EoC connection. That's it.

I verified w/ the hosting company that the DNS doctoring keyword does exist, as you can see by the statements posted above.

I'm at a loss why this isn't working now. any ideas where to check and/or how to resolve?

I can ping this box from our datacenter, by hostname.

64 bytes from 74.85.0.202: icmp_seq=1 ttl=54 time=10.1 ms

Open in new window


internally pinging the hostname resolves back to 10.102.84.15; trying to resolve FQDN through browser though just dies
0
Comment
Question by:kapshure
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 4

Accepted Solution

by:
patterned earned 2000 total points
ID: 34200940
When you manually put that private address in the browser address bar, what happens?

If you can ping via hostname, this isn't a DNS issue, and what I previously alluded to will not work either.

You did not say if the internal pinging was successful or not.  I'll assume it was...
Is there a firewall in between the devices?
VLANs?
Is the box running the web server have port 80 open?
etc, etc.
0
 

Author Comment

by:kapshure
ID: 34200978
it was the latter! dev issue! i ran nmap on it saw that 80/443 wasn't open. hopped on the box, did a
ps - ef | grep httpd 

Open in new window


and confirmed..  checked also with
netstat -at | grep 80

Open in new window

and
netstat -at | grep 443

Open in new window

.. no dice!

started httpd, bam.

/sigh.

thanks though!
0
 

Author Closing Comment

by:kapshure
ID: 34200990
dev's hadn't started httpd!
0
 
LVL 4

Expert Comment

by:patterned
ID: 34201017
I love when I forget the dumb things.  Just a little nudge is all you needed.


Damn devs! ;)
0
 

Author Comment

by:kapshure
ID: 34201244
yeh, i just assumed they had their sh!t together. "ass-u-me" DOH!
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question