Solved

Cisco Firewall NAT Question

Posted on 2013-05-10
12
628 Views
Last Modified: 2013-06-18
Hi all,

Please provide me the help with this puzzle.
I have this server in the dmz zone which is nat'd to the public address . After i put static nat ,it cannot ping the internet whereas i can ping this public address from outside .

I have about 10 servers with the same setting's who are being nat'd the same way to the public ip address and they are working perfectly.
I have no idea why this problem is coming with this server,m i missing something here?

PLease help.....

name 10.10.100.151 fisheye_private
name 207.***.255.119 fisheye_public
access-list from-outside-inbound extended permit tcp any host fisheye_public eq www
static (dmz,outside) fisheye_public fisheye_private netmask 255.255.255.255


Thanks
Jas
0
Comment
Question by:jasmanes
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
12 Comments
 
LVL 11

Expert Comment

by:naderz
ID: 39156225
do you have an ACL for the DMZ interface to allow the traffic from the server in to the DMZ interface?
0
 

Author Comment

by:jasmanes
ID: 39156246
Yes i do have the acl..

This server falls under 10.10.100.* subnet and there are about 10-15 server's who got the similar config lines...They are working perfectly .

This is rhel box with 10.10.100.151 IP and if i give the same ip to other dmz server box,then that server can ping outside...
0
 
LVL 11

Expert Comment

by:naderz
ID: 39156264
How about within the server itself? Can the server ping other servers on its network? Can it ping its default gateway?
0
Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

 

Author Comment

by:jasmanes
ID: 39156292
Yes, this server can ping the entire internal network and its gateway.. That's why i cannot blame the servers fault here

If i remove nat line,then it can ping outside as well :(
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 39156411
What version of OS is the ASA running? If it is 8.3 or beyond, the outside ACL needs to reference the real IP addresses; not the public IP which gets NAT'd.
0
 

Author Comment

by:jasmanes
ID: 39156442
I didn't get this
10.10.100.151 this is my server ip
 207.***.255.119   this is one from our pool that i fill up in our public dns provider

Can you please write the acl here as well

Thanks
Jas
0
 
LVL 11

Expert Comment

by:naderz
ID: 39156528
how are you nating and acl the other servers that are working?
0
 

Author Comment

by:jasmanes
ID: 39156896
Ahhh..

I am not sure but i guess found the solution. I was able to shutdown one of the dmz server which was nat'd  .I didn't touch the public dns part for this server but i gave the internal ip address of this to my concern server which was already nat'd to the outside

The difference is now that public dns name is different then the internal server name..

May be this was the problem ? previously public dns name was exactly same as internal For ex
name 10.10.100.151 fisheye_private                        abc.example.net
name 207.***.255.119 fisheye_public                      abc.example.net

Which now is

name 10.10.100.151 fisheye_private                        abc.example.net
name 207.***.255.119 fisheye_public                      xyz.example.net

Was this the problem ?do you think
0
 
LVL 11

Expert Comment

by:naderz
ID: 39156942
you can verify that by testing using IP address instead of the name.
0
 

Author Comment

by:jasmanes
ID: 39156960
Yes, it's working both way's

I got asa5520 8.2 ..May be i need to restart it if same name is not the issue
0
 
LVL 11

Accepted Solution

by:
naderz earned 500 total points
ID: 39157124
Interesting, let's list what you have done and what works and what doesn't.
0
 

Author Closing Comment

by:jasmanes
ID: 39257334
ss
0

Featured Post

Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question