Solved

Can’t access our website from the LAN

Posted on 2006-06-17
5
222 Views
Last Modified: 2010-04-08
We just added a Cisco ASA5510 to protect our network. Every thing works except no one in the LAN can access our imail we site. The web site points to one of our public IP, x.x.x.35 (we can access the web site from outside and we just can’t do the same inside after adding the ASA). Is it possible the inside computers can access our web site using the public IP address? If not, my another option is to setup a DNS record pointing to the web site, for example 192.168.0.213 = www.chicagotech.net (our network domain name is chicagotech.local)?. I can’t figure out how to do that. Any suggestions?

Here is the Cisco ASA configuration.

ASA Version 7.0(5)

!
hostname ciscoasa
domain-name default.domain.invalid
names
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address x.x.x.38 255.255.255.248
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 192.168.0.250 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 no ip address
 management-only
!
ftp mode passive
access-list out_to_inside extended permit tcp any host x.x.x.34 eq www
access-list out_to_inside extended permit tcp any host x.x.x.34 eq 8080
access-list out_to_inside extended permit tcp any host x.x.x.34 eq 8383
access-list out_to_inside extended permit tcp any host x.x.x.35 eq www
access-list out_to_inside extended permit tcp any host x.x.x.34 eq smtp
access-list out_to_inside extended permit tcp any host x.x.x.34 eq pop3
access-list out_to_inside extended permit tcp any host x.x.x.34 eq 3389
access-list out_to_inside extended permit tcp any host x.x.x.34 eq 13001
access-list out_to_inside extended permit tcp any host x.x.x.35 eq 13001
access-list out_to_inside extended permit tcp any host x.x.x.35 eq 3389
access-list out_to_inside extended permit tcp any host x.x.x.35 eq pop3
access-list out_to_inside extended permit tcp any host x.x.x.35 eq smtp
access-list out_to_inside extended permit tcp any host x.x.x.35 eq 8383
pager lines 24
logging asdm informational
mtu management 1500
mtu Inside 1500
mtu Outside 1500
asdm image disk0:/asdm505.bin
no asdm history enable
arp timeout 14400
global (Outside) 10 interface
nat (management) 10 0.0.0.0 0.0.0.0
nat (Inside) 10 0.0.0.0 0.0.0.0
static (Inside,Outside) x.x.x.34 192.168.0.213 netmask 255.255.255.255
static (Inside,Outside) x.x.x.35 192.168.0.112 netmask 255.255.255.255
access-group out_to_inside in interface Outside
route Outside 0.0.0.0 0.0.0.0 x.x.x.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
0
Comment
Question by:blin2000
  • 2
  • 2
5 Comments
 
LVL 32

Accepted Solution

by:
rsivanandan earned 50 total points
ID: 16928691
1. Either you can do it by modifying the DNS and add a record

OR

Let ASA know that you are trying to reach the internal machine by modifying the following static NAT;

static (Inside,Outside) x.x.x.35 192.168.0.112 netmask 255.255.255.255

change the above to;

static (Inside,Outside) tcp x.x.x.35 www 192.168.0.112 www DNS netmask 255.255.255.255
                                                                                        ^^^

Cheers,
Rajesh                                                                                        
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 50 total points
ID: 16929445
>Is it possible the inside computers can access our web site using the public IP address?
No, internal users cannot access your web site using the public IP address.
However, as Rajesh showed above -
IF your internal users use an external DNS server (i.e. from the ISP) then the PIX can "doctor" the dns response as it comes back in to resolve that public name to the private IP you show in the static. The client then initiates contact to the servers private IP address, never the public IP directly.

If you have an internal DNS server, it is easier/faster to just create your own A record for www.yourcompany.com that resolves to the private IP address.
0
 
LVL 7

Author Comment

by:blin2000
ID: 16929743
Thank you, Rajesh and Irmoore.

The issue now is how I create the A record because the our network domain name and web domain name are different. Do you mean CNAME?
0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 50 total points
ID: 16929916
Yeah by adding a CNAME you can do it. If your web domain name is different, I guess you'll have to create a zone for it in your domain and in that you'll have to create the record.


Cheers,
Rajesh
0
 
LVL 7

Author Comment

by:blin2000
ID: 16939162
Thank you. That works.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question