Solved

Cisco Firewall NAT Question

Posted on 2013-05-10
12
621 Views
Last Modified: 2013-06-18
Hi all,

Please provide me the help with this puzzle.
I have this server in the dmz zone which is nat'd to the public address . After i put static nat ,it cannot ping the internet whereas i can ping this public address from outside .

I have about 10 servers with the same setting's who are being nat'd the same way to the public ip address and they are working perfectly.
I have no idea why this problem is coming with this server,m i missing something here?

PLease help.....

name 10.10.100.151 fisheye_private
name 207.***.255.119 fisheye_public
access-list from-outside-inbound extended permit tcp any host fisheye_public eq www
static (dmz,outside) fisheye_public fisheye_private netmask 255.255.255.255


Thanks
Jas
0
Comment
Question by:jasmanes
  • 6
  • 5
12 Comments
 
LVL 11

Expert Comment

by:naderz
ID: 39156225
do you have an ACL for the DMZ interface to allow the traffic from the server in to the DMZ interface?
0
 

Author Comment

by:jasmanes
ID: 39156246
Yes i do have the acl..

This server falls under 10.10.100.* subnet and there are about 10-15 server's who got the similar config lines...They are working perfectly .

This is rhel box with 10.10.100.151 IP and if i give the same ip to other dmz server box,then that server can ping outside...
0
 
LVL 11

Expert Comment

by:naderz
ID: 39156264
How about within the server itself? Can the server ping other servers on its network? Can it ping its default gateway?
0
 

Author Comment

by:jasmanes
ID: 39156292
Yes, this server can ping the entire internal network and its gateway.. That's why i cannot blame the servers fault here

If i remove nat line,then it can ping outside as well :(
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 39156411
What version of OS is the ASA running? If it is 8.3 or beyond, the outside ACL needs to reference the real IP addresses; not the public IP which gets NAT'd.
0
 

Author Comment

by:jasmanes
ID: 39156442
I didn't get this
10.10.100.151 this is my server ip
 207.***.255.119   this is one from our pool that i fill up in our public dns provider

Can you please write the acl here as well

Thanks
Jas
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 11

Expert Comment

by:naderz
ID: 39156528
how are you nating and acl the other servers that are working?
0
 

Author Comment

by:jasmanes
ID: 39156896
Ahhh..

I am not sure but i guess found the solution. I was able to shutdown one of the dmz server which was nat'd  .I didn't touch the public dns part for this server but i gave the internal ip address of this to my concern server which was already nat'd to the outside

The difference is now that public dns name is different then the internal server name..

May be this was the problem ? previously public dns name was exactly same as internal For ex
name 10.10.100.151 fisheye_private                        abc.example.net
name 207.***.255.119 fisheye_public                      abc.example.net

Which now is

name 10.10.100.151 fisheye_private                        abc.example.net
name 207.***.255.119 fisheye_public                      xyz.example.net

Was this the problem ?do you think
0
 
LVL 11

Expert Comment

by:naderz
ID: 39156942
you can verify that by testing using IP address instead of the name.
0
 

Author Comment

by:jasmanes
ID: 39156960
Yes, it's working both way's

I got asa5520 8.2 ..May be i need to restart it if same name is not the issue
0
 
LVL 11

Accepted Solution

by:
naderz earned 500 total points
ID: 39157124
Interesting, let's list what you have done and what works and what doesn't.
0
 

Author Closing Comment

by:jasmanes
ID: 39257334
ss
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now