Solved: DNS Resolution failing but ping to IP address is s...

Nick_Shah · ‎2020-12-08

I have set up a lab where CP machines are in Cluster XL(HA). From my virtual windows machine i can ping my dns server on the internet but when trying to open google etc its not opening. I have all the policies in place. Am i missing something ?

Topology Diag attached.

Below is the config

R1:

interface FastEthernet0/0 --->Interface connected Cloud
ip address dhcp
ip nat outside
duplex full
!
interface FastEthernet1/0-->Interface connected Gateway
ip address 1.1.1.4 255.255.255.0
ip nat inside
duplex full

!
ip nat inside source list 1 interface FastEthernet0/0 overload

!

ip route 192.168.1.0 255.255.255.0 1.1.1.254 -->(1.1.1.254 is virtual ip of gateway eth1 i.e external interface)dd
!
access-list 1 permit 1.1.1.0 0.0.0.255
access-list 1 permit 2.2.2.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255

r1#ping google.com
Translating "google.com"...domain server (150.129.130.254) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 142.250.76.206, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/12 ms

Checkpoint has default route configured for which next hop is router

Gateway1> show route
Codes: C - Connected, S - Static, R - RIP, B - BGP (D - Default),
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA),
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,
U - Unreachable, i - Inactive

S 0.0.0.0/0 via 1.1.1.4, eth1, cost 0, age 17116 (1.1.1.4 is router fa1/0 ip)
C 1.1.1.0/24 is directly connected, eth1
External
C 127.0.0.0/8 is directly connected, lo
C 172.16.1.0/30 is directly connected, eth2
C 172.16.254.0/24 is directly connected, eth3
C 192.168.1.0/24 is directly connected, eth0
Internal

I tried a lot but failed, i would really appreciated if someone could help pls.

Thanks

Nick

Nick_Shah · ‎2020-12-11

@funkylicious

From router its working already

r1#ping google.com
Translating "google.com"...domain server (150.129.130.254) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 142.250.76.206, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/14/24 ms

After lot of troubleshooting, finally i found the solution. Static NAT worked !!. Now second question is why overload wasn't working at all. May be i have to check with cisco

There was only one statement on router which was doing interface PAT.

ip nat inside source list 1 interface FastEthernet0/0 overload

(Fa0/0 connected to EVE cloud which represent real NIC, which is my physical system NIC. Router fa0/0 and physical system NIC are on same subnet 192.168.0.0/24)

Change i did on router:

I removed PAT statement and added static NAT entry.

ip nat inside source static 192.168.1.4 192.168.0.8

Thanks

View solution in original post

Nick_Shah · ‎2020-12-08

unable to open any website from virtual machine

_Val_ · ‎2020-12-08

Check you have proper NAT and accept rules in place

Nick_Shah · ‎2020-12-08

@_Val_ There is no NAT on firewall. And from source 192.168.1.0/24 to ANY have https,http,dns etc allowed in policy. Snap attached for same.

_Val_ · ‎2020-12-08

So how do you expect packets to get back then?

Nick_Shah · ‎2020-12-08

Router is performing NAT. Please see below

ip nat inside source list 1 interface FastEthernet0/0 overload

ip route 192.168.1.0 255.255.255.0 1.1.1.254 -->(1.1.1.254 is virtual ip of cluster i.e external interface)
!
access-list 1 permit 1.1.1.0 0.0.0.255
access-list 1 permit 2.2.2.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255

r1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is 192.168.0.1 to network 0.0.0.0

S* 0.0.0.0/0 [254/0] via 192.168.0.1
1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 1.1.1.0/24 is directly connected, FastEthernet1/0
L 1.1.1.4/32 is directly connected, FastEthernet1/0
192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.0.0/24 is directly connected, FastEthernet0/0
L 192.168.0.13/32 is directly connected, FastEthernet0/0
S 192.168.1.0/24 [1/0] via 1.1.1.254

_Val_ · ‎2020-12-08

Then another question. Do you have this internal network define on your external router, so it could return packets to FW correctly?

Nick_Shah · ‎2020-12-08

yes, there is static route "S 192.168.1.0/24 [1/0] via 1.1.1.254". Also in access-list those ip's are mentioned

access-list 1 permit 1.1.1.0 0.0.0.255
access-list 1 permit 2.2.2.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255

Although there is no need of 1.1.1.0/24 & 2.2.2.0/24 in acl. But still i have those.

My system ip is 192.168.1.4 and gateway is 192.168.1.254. Cluster virtual ip is 192.168.1.254. So when packet goes out from system to Def GW-192.168.1.254. As soon as it hits virtual ip, active FW will process that. Now there is default route on FW it forwards it to router .

When packet arrives on router it has default route for internet and also in access-list (in which 192.168.1.0/24) is allowed.

For return traffic there is static route for 192.168.1.0/24 for which next hop is 1.1.1.254 (virtual ip). Active fw should process it and should forward to windows machine

_Val_ · ‎2020-12-08

run fw monitor on the GW to see what's going on.

Nick_Shah · ‎2020-12-08

When i did nslookup google.com also tried opening google.com

[vs_0][ppak_0] eth0:i[44]: 192.168.1.4 -> 150.129.130.254 (UDP) len=74 id=13884
UDP: 52652 -> 53
[vs_0][fw_0] eth0:i[44]: 192.168.1.4 -> 150.129.130.254 (UDP) len=74 id=13884
UDP: 52652 -> 53
[vs_0][ppak_0] eth0:i[44]: 192.168.1.4 -> 150.129.130.254 (UDP) len=74 id=13884
UDP: 52652 -> 53
[vs_0][ppak_0] eth0:I[44]: 192.168.1.4 -> 150.129.130.254 (UDP) len=74 id=13884
UDP: 52652 -> 53
[vs_0][ppak_0] eth1:o[44]: 192.168.1.4 -> 150.129.130.254 (UDP) len=74 id=13884
UDP: 52652 -> 53
[vs_0][ppak_0] eth1:O[44]: 192.168.1.4 -> 150.129.130.254 (UDP) len=74 id=13884
UDP: 52652 -> 53
[vs_0][ppak_0] eth1:i[44]: 1.1.1.4 -> 192.168.1.4 (ICMP) len=56 id=2865
ICMP: type=3 code=1 unreachable (host)
[vs_0][fw_0] eth1:i[44]: 1.1.1.4 -> 192.168.1.4 (ICMP) len=56 id=2865
ICMP: type=3 code=1 unreachable (host)
[vs_0][fw_0] eth1:I[44]: 1.1.1.4 -> 192.168.1.4 (ICMP) len=56 id=2865
ICMP: type=3 code=1 unreachable (host)
[vs_0][fw_0] eth0:o[44]: 1.1.1.4 -> 192.168.1.4 (ICMP) len=56 id=2865
ICMP: type=3 code=1 unreachable (host)
[vs_0][fw_0] eth0:O[44]: 1.1.1.4 -> 192.168.1.4 (ICMP) len=56 id=2865
ICMP: type=3 code=1 unreachable (host)
[vs_0][ppak_0] eth0:i[44]: 192.168.1.4 -> 150.129.130.254 (UDP) len=56 id=13891
UDP: 52653 -> 53
[vs_0][fw_1] eth0:i[44]: 192.168.1.4 -> 150.129.130.254 (UDP) len=56 id=13891
UDP: 52653 -> 53
[vs_0][fw_2] eth0:o[44]: 192.168.1.1 -> 192.168.1.3 (TCP) len=186 id=55605
TCP: 63910 -> 257 ...PA. seq=95a379c8 ack=1326e0ad
[vs_0][fw_2] eth0:O[44]: 192.168.1.1 -> 192.168.1.3 (TCP) len=186 id=55605
TCP: 63910 -> 257 ...PA. seq=95a379c8 ack=1326e0ad
[vs_0][ppak_0] eth0:i[44]: 192.168.1.4 -> 150.129.130.254 (UDP) len=56 id=13891
UDP: 52653 -> 53
[vs_0][ppak_0] eth0:I[44]: 192.168.1.4 -> 150.129.130.254 (UDP) len=56 id=13891
UDP: 52653 -> 53
[vs_0][ppak_0] eth1:o[44]: 192.168.1.4 -> 150.129.130.254 (UDP) len=56 id=13891
UDP: 52653 -> 53
[vs_0][ppak_0] eth1:O[44]: 192.168.1.4 -> 150.129.130.254 (UDP) len=56 id=13891
UDP: 52653 -> 53
[vs_0][ppak_0] eth0:i[44]: 192.168.1.3 -> 192.168.1.1 (TCP) len=52 id=45307
TCP: 257 -> 63910 ....A. seq=1326e0ad ack=95a37a4e
[vs_0][fw_2] eth0:i[44]: 192.168.1.3 -> 192.168.1.1 (TCP) len=52 id=45307
TCP: 257 -> 63910 ....A. seq=1326e0ad ack=95a37a4e
[vs_0][fw_2] eth0:I[44]: 192.168.1.3 -> 192.168.1.1 (TCP) len=52 id=45307
TCP: 257 -> 63910 ....A. seq=1326e0ad ack=95a37a4e
[vs_0][ppak_0] eth1:i[44]: 1.1.1.4 -> 192.168.1.4 (ICMP) len=56 id=2866
ICMP: type=3 code=1 unreachable (host)

When i tried to ping both DNS server

[vs_0][ppak_0] eth0:i[44]: 192.168.1.4 -> 150.129.130.254 (ICMP) len=60 id=13992
ICMP: type=8 code=0 echo request id=1 seq=81
[vs_0][fw_1] eth0:i[44]: 192.168.1.4 -> 150.129.130.254 (ICMP) len=60 id=13992
ICMP: type=8 code=0 echo request id=1 seq=81
[vs_0][fw_1] eth0:I[44]: 192.168.1.4 -> 150.129.130.254 (ICMP) len=60 id=13992
ICMP: type=8 code=0 echo request id=1 seq=81
[vs_0][fw_1] eth1:o[44]: 192.168.1.4 -> 150.129.130.254 (ICMP) len=60 id=13992
ICMP: type=8 code=0 echo request id=1 seq=81
[vs_0][fw_1] eth1:O[44]: 192.168.1.4 -> 150.129.130.254 (ICMP) len=60 id=13992
ICMP: type=8 code=0 echo request id=1 seq=81
[vs_0][ppak_0] eth1:i[44]: 150.129.130.254 -> 192.168.1.4 (ICMP) len=60 id=43695
ICMP: type=0 code=0 echo reply id=1 seq=81
[vs_0][fw_1] eth1:i[44]: 150.129.130.254 -> 192.168.1.4 (ICMP) len=60 id=43695
ICMP: type=0 code=0 echo reply id=1 seq=81
[vs_0][fw_1] eth1:I[44]: 150.129.130.254 -> 192.168.1.4 (ICMP) len=60 id=43695
ICMP: type=0 code=0 echo reply id=1 seq=81
[vs_0][fw_1] eth0:o[44]: 150.129.130.254 -> 192.168.1.4 (ICMP) len=60 id=43695
ICMP: type=0 code=0 echo reply id=1 seq=81
[vs_0][fw_1] eth0:O[44]: 150.129.130.254 -> 192.168.1.4 (ICMP) len=60 id=43695
ICMP: type=0 code=0 echo reply id=1 seq=81
[vs_0][ppak_0] eth0:i[44]: 192.168.1.4 -> 150.129.130.254 (ICMP) len=60 id=13993
ICMP: type=8 code=0 echo request id=1 seq=82
[vs_0][fw_1] eth0:i[44]: 192.168.1.4 -> 150.129.130.254 (ICMP) len=60 id=13993
ICMP: type=8 code=0 echo request id=1 seq=82
[vs_0][fw_1] eth0:I[44]: 192.168.1.4 -> 150.129.130.254 (ICMP) len=60 id=13993
ICMP: type=8 code=0 echo request id=1 seq=82
[vs_0][fw_1] eth1:o[44]: 192.168.1.4 -> 150.129.130.254 (ICMP) len=60 id=13993
ICMP: type=8 code=0 echo request id=1 seq=82
[vs_0][fw_1] eth1:O[44]: 192.168.1.4 -> 150.129.130.254 (ICMP) len=60 id=13993

vs_0][ppak_0] eth0:i[44]: 192.168.1.4 -> 8.8.8.8 (ICMP) len=60 id=17867
ICMP: type=8 code=0 echo request id=1 seq=87
[vs_0][fw_0] eth0:i[44]: 192.168.1.4 -> 8.8.8.8 (ICMP) len=60 id=17867
ICMP: type=8 code=0 echo request id=1 seq=87
[vs_0][fw_0] eth0:I[44]: 192.168.1.4 -> 8.8.8.8 (ICMP) len=60 id=17867
ICMP: type=8 code=0 echo request id=1 seq=87
[vs_0][fw_0] eth1:o[44]: 192.168.1.4 -> 8.8.8.8 (ICMP) len=60 id=17867
ICMP: type=8 code=0 echo request id=1 seq=87
[vs_0][fw_0] eth1:O[44]: 192.168.1.4 -> 8.8.8.8 (ICMP) len=60 id=17867
ICMP: type=8 code=0 echo request id=1 seq=87
[vs_0][ppak_0] eth1:i[44]: 8.8.8.8 -> 192.168.1.4 (ICMP) len=60 id=0
ICMP: type=0 code=0 echo reply id=1 seq=87
[vs_0][fw_0] eth1:i[44]: 8.8.8.8 -> 192.168.1.4 (ICMP) len=60 id=0
ICMP: type=0 code=0 echo reply id=1 seq=87
[vs_0][fw_0] eth1:I[44]: 8.8.8.8 -> 192.168.1.4 (ICMP) len=60 id=0
ICMP: type=0 code=0 echo reply id=1 seq=87
[vs_0][fw_0] eth0:o[44]: 8.8.8.8 -> 192.168.1.4 (ICMP) len=60 id=0
ICMP: type=0 code=0 echo reply id=1 seq=87
[vs_0][fw_0] eth0:O[44]: 8.8.8.8 -> 192.168.1.4 (ICMP) len=60 id=0
ICMP: type=0 code=0 echo reply id=1 seq=87
[vs_0][fw_2] eth0:o[44]: 192.168.1.1 -> 192.168.1.3 (TCP) len=194 id=55695
TCP: 63910 -> 257 ...PA. seq=95a3d486 ack=1326e0c7
[vs_0][fw_2] eth0:O[44]: 192.168.1.1 -> 192.168.1.3 (TCP) len=194 id=55695
TCP: 63910 -> 257 ...PA. seq=95a3d486 ack=1326e0c7
[vs_0][ppak_0] eth0:i[44]: 192.168.1.3 -> 192.168.1.1 (TCP) len=52 id=45397
TCP: 257 -> 63910 ....A. seq=1326e0c7 ack=95a3d514
[vs_0][fw_2] eth0:i[44]: 192.168.1.3 -> 192.168.1.1 (TCP) len=52 id=45397
TCP: 257 -> 63910 ....A. seq=1326e0c7 ack=95a3d514
[vs_0][fw_2] eth0:I[44]: 192.168.1.3 -> 192.168.1.1 (TCP) len=52 id=45397
TCP: 257 -> 63910 ....A. seq=1326e0c7 ack=95a3d514
[vs_0][ppak_0] eth0:i[44]: 192.168.1.4 -> 8.8.8.8 (ICMP) len=60 id=17868
ICMP: type=8 code=0 echo request id=1 seq=88
[vs_0][fw_0] eth0:i[44]: 192.168.1.4 -> 8.8.8.8 (ICMP) len=60 id=17868
ICMP: type=8 code=0 echo request id=1 seq=88
[vs_0][fw_0] eth0:I[44]: 192.168.1.4 -> 8.8.8.8 (ICMP) len=60 id=17868
ICMP: type=8 code=0 echo request id=1 seq=88
[vs_0][fw_0] eth1:o[44]: 192.168.1.4 -> 8.8.8.8 (ICMP) len=60 id=17868
ICMP: type=8 code=0 echo request id=1 seq=88
[vs_0][fw_0] eth1:O[44]: 192.168.1.4 -> 8.8.8.8 (ICMP) len=60 id=17868
ICMP: type=8 code=0 echo request id=1 seq=88
[vs_0][ppak_0] eth1:i[44]: 8.8.8.8 -> 192.168.1.4 (ICMP) len=60 id=0
ICMP: type=0 code=0 echo reply id=1 seq=88

_Val_ · ‎2020-12-09

Something is blocking your DNS traffic outside of FW, can't you see?

[vs_0][ppak_0] eth1:i[44]: 1.1.1.4 -> 192.168.1.4 (ICMP) len=56 id=2866
ICMP: type=3 code=1 unreachable (host)

Nick_Shah · ‎2020-12-08

Logs when i did tcpdump

23:00:17.263816 IP Gateway1.cp-cluster > 192.168.1.2.cp-cluster: UDP, length 50
23:00:17.363774 IP 192.168.1.2.cp-cluster > Gateway1.cp-cluster: UDP, length 50
23:00:17.764018 IP Gateway1.cp-cluster > 192.168.1.2.cp-cluster: UDP, length 50
23:00:17.864018 IP 192.168.1.2.cp-cluster > Gateway1.cp-cluster: UDP, length 50
23:00:18.264152 IP Gateway1.cp-cluster > 192.168.1.2.cp-cluster: UDP, length 50
23:00:18.264453 STP 802.1d, Config, Flags [none], bridge-id 8001.aa:bb:cc:01:20:00.8001, length 43
23:00:18.364301 IP 192.168.1.2.cp-cluster > Gateway1.cp-cluster: UDP, length 50
23:00:18.764406 IP Gateway1.cp-cluster > 192.168.1.2.cp-cluster: UDP, length 50
23:00:18.864581 IP 192.168.1.2.cp-cluster > Gateway1.cp-cluster: UDP, length 50
23:00:19.264581 IP Gateway1.cp-cluster > 192.168.1.2.cp-cluster: UDP, length 50
23:00:19.364724 IP 192.168.1.2.cp-cluster > Gateway1.cp-cluster: UDP, length 50
23:00:19.511287 IP Gateway1.18192 > 192.168.1.3.57607: Flags [.], seq 1123360406:1123361854, ack 846767005, win 76, options [nop,nop,TS val 28654509 ecr 27500058], length 1448
23:00:19.511344 IP Gateway1.18192 > 192.168.1.3.57607: Flags [.], seq 1448:2896, ack 1, win 76, options [nop,nop,TS val 28654509 ecr 27500058], length 1448
23:00:19.511361 IP Gateway1.18192 > 192.168.1.3.57607: Flags [.], seq 2896:4344, ack 1, win 76, options [nop,nop,TS val 28654509 ecr 27500058], length 1448
23:00:19.511377 IP Gateway1.18192 > 192.168.1.3.57607: Flags [.], seq 4344:5792, ack 1, win 76, options [nop,nop,TS val 28654509 ecr 27500058], length 1448
23:00:19.511731 IP 192.168.1.3.57607 > Gateway1.18192: Flags [.], ack 1448, win 173, options [nop,nop,TS val 27520077 ecr 28654509], length 0
23:00:19.511752 IP 192.168.1.3.57607 > Gateway1.18192: Flags [.], ack 2896, win 173, options [nop,nop,TS val 27520077 ecr 28654509], length 0
23:00:19.511754 IP 192.168.1.3.57607 > Gateway1.18192: Flags [.], ack 4344, win 172, options [nop,nop,TS val 27520077 ecr 28654509], length 0
23:00:19.511756 IP 192.168.1.3.57607 > Gateway1.18192: Flags [.], ack 5792, win 171, options [nop,nop,TS val 27520077 ecr 28654509], length 0
23:00:19.511867 IP Gateway1.18192 > 192.168.1.3.57607: Flags [.], seq 5792:7240, ack 1, win 76, options [nop,nop,TS val 28654510 ecr 27520077], length 1448
23:00:19.511895 IP Gateway1.18192 > 192.168.1.3.57607: Flags [.], seq 7240:8688, ack 1, win 76, options [nop,nop,TS val 28654510 ecr 27520077], length 1448
23:00:19.511911 IP Gateway1.18192 > 192.168.1.3.57607: Flags [P.], seq 8688:9318, ack 1, win 76, options [nop,nop,TS val 28654510 ecr 27520077], length 630
23:00:19.512078 IP 192.168.1.3.57607 > Gateway1.18192: Flags [.], ack 7240, win 173, options [nop,nop,TS val 27520077 ecr 28654510], length 0
23:00:19.512088 IP 192.168.1.3.57607 > Gateway1.18192: Flags [.], ack 8688, win 173, options [nop,nop,TS val 27520077 ecr 28654510], length 0
23:00:19.512090 IP 192.168.1.3.57607 > Gateway1.18192: Flags [.], ack 9318, win 173, options [nop,nop,TS val 27520077 ecr 28654510], length 0
23:00:19.764714 IP Gateway1.cp-cluster > 192.168.1.2.cp-cluster: UDP, length 50
23:00:19.792412 IP 192.168.1.4.56676 > 150.129.130.254.domain: 17982+ A? google.com. (28)
23:00:19.792461 IP 192.168.1.4.56676 > 8.8.8.8.domain: 17982+ A? google.com. (28)
23:00:19.801208 IP 1.1.1.4 > 192.168.1.4: ICMP host 150.129.130.254 unreachable, length 36
23:00:19.864868 IP 192.168.1.2.cp-cluster > Gateway1.cp-cluster: UDP, length 50
23:00:20.264864 IP Gateway1.cp-cluster > 192.168.1.2.cp-cluster: UDP, length 50
23:00:20.265165 STP 802.1d, Config, Flags [none], bridge-id 8001.aa:bb:cc:01:20:00.8001, length 43
23:00:20.365049 IP 192.168.1.2.cp-cluster > Gateway1.cp-cluster: UDP, length 50
23:00:20.765076 IP Gateway1.cp-cluster > 192.168.1.2.cp-cluster: UDP, length 50
23:00:20.865233 IP 192.168.1.2.cp-cluster > Gateway1.cp-cluster: UDP, length 50
23:00:21.265219 IP Gateway1.cp-cluster > 192.168.1.2.cp-cluster: UDP, length 50
23:00:21.365396 IP 192.168.1.2.cp-cluster > Gateway1.cp-cluster: UDP, length 50
23:00:21.765440 IP Gateway1.cp-cluster > 192.168.1.2.cp-cluster: UDP, length 50
23:00:21.865561 IP 192.168.1.2.cp-cluster > Gateway1.cp-cluster: UDP, length 50
23:00:22.265571 IP Gateway1.cp-cluster > 192.168.1.2.cp-cluster: UDP, length 50
23:00:22.265922 STP 802.1d, Config, Flags [none], bridge-id 8001.aa:bb:cc:01:20:00.8001, length 43
23:00:22.365867 IP 192.168.1.2.cp-cluster > Gateway1.cp-cluster: UDP, length 50
23:00:22.749761 DTPv1, length 34

23:00:22.749763 aa:bb:cc:01:20:00 (oui Unknown) > 01:00:0c:00:00:00 (oui Unknown) SNAP, oui Cisco (0x00000c), pid Unknown (0x0003), length 68:
0x0000: aaaa 0300 000c 0003 0000 0000 0100 0ccc ................
0x0010: cccc aabb cc01 2000 0022 aaaa 0300 000c ........."......
0x0020: 2004 0100 0100 0500 0002 0005 0300 0300 ................
0x0030: 0540 0004 000a aabb cc01 2000 f82d 743f .@...........-t?
0x0040: 5d64 8010 0020 cfc8 098c a939 ]d.........9
23:00:22.765751 IP Gateway1.cp-cluster > 192.168.1.2.cp-cluster: UDP, length 50
23:00:22.865999 IP 192.168.1.2.cp-cluster > Gateway1.cp-cluster: UDP, length 50
23:00:23.265869 IP Gateway1.cp-cluster > 192.168.1.2.cp-cluster: UDP, length 50
23:00:23.366141 IP 192.168.1.2.cp-cluster > Gateway1.cp-cluster: UDP, length 50
23:00:23.766146 IP Gateway1.cp-cluster > 192.168.1.2.cp-cluster: UDP, length 50
23:00:23.792623 IP 192.168.1.4.netbios-ns > 192.168.1.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
23:00:23.866196 IP 192.168.1.2.cp-cluster > Gateway1.cp-cluster: UDP, length 50
23:00:24.266290 IP Gateway1.cp-cluster > 192.168.1.2.cp-cluster: UDP, length 50
23:00:24.266590 STP 802.1d, Config, Flags [none], bridge-id 8001.aa:bb:cc:01:20:00.8001, length 43
23:00:24.366502 IP 192.168.1.2.cp-cluster > Gateway1.cp-cluster: UDP, length 50
23:00:24.515407 IP Gateway1.18192 > 192.168.1.3.57607: Flags [P.], seq 9318:9432, ack 1, win 76, options [nop,nop,TS val 28659513 ecr 27520077], length 114
23:00:24.515859 IP 192.168.1.3.57607 > Gateway1.18192: Flags [.], ack 9432, win 173, options [nop,nop,TS val 27525081 ecr 28659513], length 0
23:00:24.542422 IP 192.168.1.4.netbios-ns > 192.168.1.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
23:00:24.766570 IP Gateway1.cp-cluster > 192.168.1.2.cp-cluster: UDP, length 50
23:00:24.809401 ARP, Request who-has 192.168.1.4 tell Gateway1, length 28
23:00:24.809742 ARP, Reply 192.168.1.4 is-at 50:00:00:2f:00:00 (oui Unknown), length 46
23:00:24.866669 IP 192.168.1.2.cp-cluster > Gateway1.cp-cluster: UDP, length 50
23:00:25.266787 IP Gateway1.cp-cluster > 192.168.1.2.cp-cluster: UDP, length 50
23:00:25.292372 IP 192.168.1.4.netbios-ns > 192.168.1.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
23:00:25.366939 IP 192.168.1.2.cp-cluster > Gateway1.cp-cluster: UDP, length 50
23:00:25.766988 IP Gateway1.cp-cluster > 192.168.1.2.cp-cluster: UDP, length 50
23:00:25.867062 ARP, Request who-has 192.168.1.254 tell 192.168.1.254, length 28
23:00:25.867274 IP 192.168.1.2.cp-cluster > Gateway1.cp-cluster: UDP, length 50
23:00:26.094161 IP Gateway1.63910 > 192.168.1.3.set: Flags [P.], seq 246:384, ack 1, win 40, options [nop,nop,TS val 28661092 ecr 27514659], length 138
23:00:26.094624 IP 192.168.1.3.set > Gateway1.63910: Flags [.], ack 384, win 174, options [nop,nop,TS val 27526660 ecr 28661092], length 0
23:00:26.265915 STP 802.1d, Config, Flags [none], bridge-id 8001.aa:bb:cc:01:20:00.8001, length 43
23:00:26.267365 IP Gateway1.cp-cluster > 192.168.1.2.cp-cluster: UDP, length 50
23:00:26.367578 IP 192.168.1.2.cp-cluster > Gateway1.cp-cluster: UDP, length 50
23:00:26.767639 IP Gateway1.cp-cluster > 192.168.1.2.cp-cluster: UDP, length 50
23:00:26.867433 IP 192.168.1.2.cp-cluster > Gateway1.cp-cluster: UDP, length 50
23:00:27.267747 IP Gateway1.cp-cluster > 192.168.1.2.cp-cluster: UDP, length 50
23:00:27.367630 IP 192.168.1.2.cp-cluster > Gateway1.cp-cluster: UDP, length 50
23:00:27.767864 IP Gateway1.cp-cluster > 192.168.1.2.cp-cluster: UDP, length 50
23:00:27.867671 IP 192.168.1.2.cp-cluster > Gateway1.cp-cluster: UDP, length 50
23:00:28.265849 STP 802.1d, Config, Flags [none], bridge-id 8001.aa:bb:cc:01:20:00.8001, length 43
23:00:28.267936 IP Gateway1.cp-cluster > 192.168.1.2.cp-cluster: UDP, length 50
23:00:28.367938 IP 192.168.1.2.cp-cluster > Gateway1.cp-cluster: UDP, length 50
23:00:28.768073 IP Gateway1.cp-cluster > 192.168.1.2.cp-cluster: UDP, length 50
23:00:28.868040 IP 192.168.1.2.cp-cluster > Gateway1.cp-cluster: UDP, length 50

funkylicious · ‎2020-12-08

Hi,

From my understanding the VM ( 192.168.1.4 ) is in the 192.168.1.0 /24 network , which has a GW of .254 .

The firewall cluster has a default route towards 1.1.1.4, R1 where there is a ACL which would say that traffic coming from 1.1.1.0 /24 , 2.2.2.0 /24 and 192.168.1.0 /24 should be PAT-ed with the interface IP of Fa0/0. Correct so far ?

When you do a traceroute towards 8.8.8.8 from the VM, where does the traffic stop ?

Nick_Shah · ‎2020-12-08

@funkylicious The firewall cluster has a default route towards 1.1.1.4, R1 where there is a ACL which would say that traffic coming from 1.1.1.0 /24 , 2.2.2.0 /24 and 192.168.1.0 /24 should be PAT-ed with the interface IP of Fa0/0. Correct so far ? --->Yes you are correct

When you do a traceroute towards 8.8.8.8 from the VM, where does the traffic stop ?-->Please find the attached snap

funkylicious · ‎2020-12-10

Ok, from my understanding your traceroute/icmp goes through but your DNS/web requests are not.

From R1 directly, can you please try a telnet towards www.google.com on ports 80 and 443 ?

Also, can you please check the Internet settings in your browser ? Maybe also try a telnet/portqry from the VM towards 80 and 443 ?

If these are not working either, I suspect that something is off between your router and EVE-NG cloud NET, which connects to your host/real Network.

Nick_Shah · ‎2020-12-11

@funkylicious

From router its working already

r1#ping google.com
Translating "google.com"...domain server (150.129.130.254) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 142.250.76.206, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/14/24 ms

After lot of troubleshooting, finally i found the solution. Static NAT worked !!. Now second question is why overload wasn't working at all. May be i have to check with cisco

There was only one statement on router which was doing interface PAT.

ip nat inside source list 1 interface FastEthernet0/0 overload

(Fa0/0 connected to EVE cloud which represent real NIC, which is my physical system NIC. Router fa0/0 and physical system NIC are on same subnet 192.168.0.0/24)

Change i did on router:

I removed PAT statement and added static NAT entry.

ip nat inside source static 192.168.1.4 192.168.0.8

Thanks

Are you a member of CheckMates?

DNS Resolution failing but ping to IP address is succesful.