Solved

Can’t access our website from the LAN

Posted on 2006-06-17
5
215 Views
Last Modified: 2010-04-08
We just added a Cisco ASA5510 to protect our network. Every thing works except no one in the LAN can access our imail we site. The web site points to one of our public IP, x.x.x.35 (we can access the web site from outside and we just can’t do the same inside after adding the ASA). Is it possible the inside computers can access our web site using the public IP address? If not, my another option is to setup a DNS record pointing to the web site, for example 192.168.0.213 = www.chicagotech.net (our network domain name is chicagotech.local)?. I can’t figure out how to do that. Any suggestions?

Here is the Cisco ASA configuration.

ASA Version 7.0(5)

!
hostname ciscoasa
domain-name default.domain.invalid
names
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address x.x.x.38 255.255.255.248
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 192.168.0.250 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 no ip address
 management-only
!
ftp mode passive
access-list out_to_inside extended permit tcp any host x.x.x.34 eq www
access-list out_to_inside extended permit tcp any host x.x.x.34 eq 8080
access-list out_to_inside extended permit tcp any host x.x.x.34 eq 8383
access-list out_to_inside extended permit tcp any host x.x.x.35 eq www
access-list out_to_inside extended permit tcp any host x.x.x.34 eq smtp
access-list out_to_inside extended permit tcp any host x.x.x.34 eq pop3
access-list out_to_inside extended permit tcp any host x.x.x.34 eq 3389
access-list out_to_inside extended permit tcp any host x.x.x.34 eq 13001
access-list out_to_inside extended permit tcp any host x.x.x.35 eq 13001
access-list out_to_inside extended permit tcp any host x.x.x.35 eq 3389
access-list out_to_inside extended permit tcp any host x.x.x.35 eq pop3
access-list out_to_inside extended permit tcp any host x.x.x.35 eq smtp
access-list out_to_inside extended permit tcp any host x.x.x.35 eq 8383
pager lines 24
logging asdm informational
mtu management 1500
mtu Inside 1500
mtu Outside 1500
asdm image disk0:/asdm505.bin
no asdm history enable
arp timeout 14400
global (Outside) 10 interface
nat (management) 10 0.0.0.0 0.0.0.0
nat (Inside) 10 0.0.0.0 0.0.0.0
static (Inside,Outside) x.x.x.34 192.168.0.213 netmask 255.255.255.255
static (Inside,Outside) x.x.x.35 192.168.0.112 netmask 255.255.255.255
access-group out_to_inside in interface Outside
route Outside 0.0.0.0 0.0.0.0 x.x.x.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
0
Comment
Question by:blin2000
  • 2
  • 2
5 Comments
 
LVL 32

Accepted Solution

by:
rsivanandan earned 50 total points
ID: 16928691
1. Either you can do it by modifying the DNS and add a record

OR

Let ASA know that you are trying to reach the internal machine by modifying the following static NAT;

static (Inside,Outside) x.x.x.35 192.168.0.112 netmask 255.255.255.255

change the above to;

static (Inside,Outside) tcp x.x.x.35 www 192.168.0.112 www DNS netmask 255.255.255.255
                                                                                        ^^^

Cheers,
Rajesh                                                                                        
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 50 total points
ID: 16929445
>Is it possible the inside computers can access our web site using the public IP address?
No, internal users cannot access your web site using the public IP address.
However, as Rajesh showed above -
IF your internal users use an external DNS server (i.e. from the ISP) then the PIX can "doctor" the dns response as it comes back in to resolve that public name to the private IP you show in the static. The client then initiates contact to the servers private IP address, never the public IP directly.

If you have an internal DNS server, it is easier/faster to just create your own A record for www.yourcompany.com that resolves to the private IP address.
0
 
LVL 7

Author Comment

by:blin2000
ID: 16929743
Thank you, Rajesh and Irmoore.

The issue now is how I create the A record because the our network domain name and web domain name are different. Do you mean CNAME?
0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 50 total points
ID: 16929916
Yeah by adding a CNAME you can do it. If your web domain name is different, I guess you'll have to create a zone for it in your domain and in that you'll have to create the record.


Cheers,
Rajesh
0
 
LVL 7

Author Comment

by:blin2000
ID: 16939162
Thank you. That works.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Block unwanted websites & monitor visited 8 78
Open BDS Pf 3 44
IP Phones with SonicWall 6 68
Sonicwall tz215 internet speed slow  help 56 302
Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This video discusses moving either the default database or any database to a new volume.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now