Quantcast
Channel: IEOC - INE's Online Community
Viewing all articles
Browse latest Browse all 10744

WB v4 Sec 5 - DNS doctoring Static -- R3 cannot ping CA-server mapped IP

$
0
0

Hi ,

After doing the configuration as mentioned in the workbook, R3 cannot ping CA-server mapped IP ( 150.51.0.100). 

Below are the logs from R3, ASA2..

Please advice..

 

ASA2 config:

object network CA-Server

 host 10.0.1.100

object network CA-Trans

 host 150.51.0.100

access-list WWW extended permit tcp any host 10.0.1.100 eq www

pager lines 24

mtu Outside 1500

mtu Inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

object network CA-Server

 nat (Inside,Outside) static 150.51.0.100 dns

access-group WWW in interface Outside

!

Captures from ASA2 OUtside interface:
ASA2(config)# sh capture OUT
877 packets captured
   1: 22:23:25.059490 802.3 encap packet
   2: 22:23:26.946713 150.51.0.2 > 224.0.0.5:  ip-proto-89, length 60
   3: 22:23:27.040281 802.3 encap packet
   4: 22:23:29.194371 802.3 encap packet
   5: 22:23:31.004806 802.3 encap packet
   6: 22:23:33.179159 802.3 encap packet
   7: 22:23:34.180303 150.51.0.12 > 224.0.0.5:  ip-proto-89, length 48
   8: 22:23:35.180349 802.3 encap packet
   9: 22:23:35.422783 10.0.1.3.52879 > 150.51.0.2.53:  udp 21
  10: 22:23:35.434715 150.51.0.2.53 > 10.0.1.3.52879:  udp 37
  11: 22:23:37.029356 150.51.0.2 > 224.0.0.5:  ip-proto-89, length 60
  12: 22:23:37.114541 802.3 encap packet
  13: 22:23:37.967052 arp who-has 150.51.0.100 tell 150.51.0.12
  14: 22:23:39.044889 802.3 encap packet
  15: 22:23:39.340177 arp who-has 150.51.0.100 tell 150.51.0.12
  16: 22:23:40.340222 arp who-has 150.51.0.100 tell 150.51.0.12
  17: 22:23:41.230380 802.3 encap packet
  18: 22:23:43.201893 802.3 encap packet
  19: 22:23:44.180288 150.51.0.12 > 224.0.0.5:  ip-proto-89, length 48
  20: 22:23:44.340283 arp who-has 150.51.0.100 tell 150.51.0.12
  21: 22:23:45.060208 802.3 encap packet
  22: 22:23:47.005218 150.51.0.2 > 224.0.0.5:  ip-proto-89, length 60
  23: 22:23:47.125008 802.3 encap packet
  24: 22:23:49.074230 802.3 encap packet
  25: 22:23:49.340207 arp who-has 150.51.0.100 tell 150.51.0.12
  26: 22:23:51.096476 802.3 encap packet
  27: 22:23:52.988932 802.3 encap packet

Captures from ASA2 Inside interface:

ASA2(config)# sh capture IN

 

798 packets captured

 

   1: 22:24:33.173712 802.3 encap packet

   2: 22:24:34.032682 10.0.1.3 > 150.51.0.100: icmp: echo request

   3: 22:24:34.190313 10.0.1.12 > 224.0.0.5:  ip-proto-89, length 52

   4: 22:24:34.874527 10.0.1.3 > 224.0.0.5:  ip-proto-89, length 64

   5: 22:24:35.204731 802.3 encap packet

   6: 22:24:35.972438 10.0.1.3 > 150.51.0.100: icmp: echo request

   7: 22:24:37.106241 802.3 encap packet

   8: 22:24:37.908125 10.0.1.3 > 150.51.0.100: icmp: echo request

   9: 22:24:39.098032 802.3 encap packet

  10: 22:24:39.979411 10.0.1.3 > 150.51.0.100: icmp: echo request

  11: 22:24:41.161826 802.3 encap packet

  12: 22:24:41.984415 10.0.1.3 > 150.51.0.100: icmp: echo request

  13: 22:24:42.437340 10.0.1.100 > 224.0.0.5:  ip-proto-89, length 64

  14: 22:24:43.162589 802.3 encap packet

  15: 22:24:44.017470 10.0.1.3 > 150.51.0.100: icmp: echo request

  16: 22:24:44.190221 10.0.1.12 > 224.0.0.5:  ip-proto-89, length 52

  17: 22:24:44.935345 10.0.1.3 > 224.0.0.5:  ip-proto-89, length 64

  18: 22:24:45.188390 802.3 encap packet

  19: 22:24:47.217243 802.3 encap packet

  20: 22:24:49.146904 802.3 encap packet

  21: 22:24:51.237994 802.3 encap packet

  22: 22:24:52.453025 10.0.1.100 > 224.0.0.5:  ip-proto-89, length 64

  23: 22:24:53.239169 802.3 encap packet

  24: 22:24:53.884628 10.0.1.3.51838 > 150.51.0.2.53:  udp 21

  25: 22:24:53.898375 150.51.0.2.53 > 10.0.1.3.51838:  udp 37

  26: 22:24:53.924360 10.0.1.3 > 150.51.0.100: icmp: echo request

  27: 22:24:54.190313 10.0.1.12 > 224.0.0.5:  ip-proto-89, length 52

  28: 22:24:55.010985 10.0.1.3 > 224.0.0.5:  ip-proto-89, length 64

  29: 22:24:55.341245 802.3 encap packet

 From R3

R3#sh run | i ip

no ip icmp rate-limit unreachable

ip tcp synwait-time 5

ip cef

ip name-server 150.51.0.2

 ip address 10.0.1.3 255.255.255.0

R3#ping WWW

 

Translating "WWW"...domain server (150.51.0.2) [OK]

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.51.0.100, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

R3#

R3#ping 10.0.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/35/44 ms
R3#

Viewing all articles
Browse latest Browse all 10744

Trending Articles