Link to home
Create AccountLog in
Avatar of jasmanes
jasmanesFlag for Canada

asked on

Cisco Firewall NAT Question

Hi all,

Please provide me the help with this puzzle.
I have this server in the dmz zone which is nat'd to the public address . After i put static nat ,it cannot ping the internet whereas i can ping this public address from outside .

I have about 10 servers with the same setting's who are being nat'd the same way to the public ip address and they are working perfectly.
I have no idea why this problem is coming with this server,m i missing something here?

PLease help.....

name 10.10.100.151 fisheye_private
name 207.***.255.119 fisheye_public
access-list from-outside-inbound extended permit tcp any host fisheye_public eq www
static (dmz,outside) fisheye_public fisheye_private netmask 255.255.255.255


Thanks
Jas
Avatar of naderz
naderz
Flag of United States of America image

do you have an ACL for the DMZ interface to allow the traffic from the server in to the DMZ interface?
Avatar of jasmanes

ASKER

Yes i do have the acl..

This server falls under 10.10.100.* subnet and there are about 10-15 server's who got the similar config lines...They are working perfectly .

This is rhel box with 10.10.100.151 IP and if i give the same ip to other dmz server box,then that server can ping outside...
How about within the server itself? Can the server ping other servers on its network? Can it ping its default gateway?
Yes, this server can ping the entire internal network and its gateway.. That's why i cannot blame the servers fault here

If i remove nat line,then it can ping outside as well :(
What version of OS is the ASA running? If it is 8.3 or beyond, the outside ACL needs to reference the real IP addresses; not the public IP which gets NAT'd.
I didn't get this
10.10.100.151 this is my server ip
 207.***.255.119   this is one from our pool that i fill up in our public dns provider

Can you please write the acl here as well

Thanks
Jas
how are you nating and acl the other servers that are working?
Ahhh..

I am not sure but i guess found the solution. I was able to shutdown one of the dmz server which was nat'd  .I didn't touch the public dns part for this server but i gave the internal ip address of this to my concern server which was already nat'd to the outside

The difference is now that public dns name is different then the internal server name..

May be this was the problem ? previously public dns name was exactly same as internal For ex
name 10.10.100.151 fisheye_private                        abc.example.net
name 207.***.255.119 fisheye_public                      abc.example.net

Which now is

name 10.10.100.151 fisheye_private                        abc.example.net
name 207.***.255.119 fisheye_public                      xyz.example.net

Was this the problem ?do you think
you can verify that by testing using IP address instead of the name.
Yes, it's working both way's

I got asa5520 8.2 ..May be i need to restart it if same name is not the issue
ASKER CERTIFIED SOLUTION
Avatar of naderz
naderz
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
ss