Solved

Can’t access our website from the LAN

Posted on 2006-06-17
5
220 Views
Last Modified: 2010-04-08
We just added a Cisco ASA5510 to protect our network. Every thing works except no one in the LAN can access our imail we site. The web site points to one of our public IP, x.x.x.35 (we can access the web site from outside and we just can’t do the same inside after adding the ASA). Is it possible the inside computers can access our web site using the public IP address? If not, my another option is to setup a DNS record pointing to the web site, for example 192.168.0.213 = www.chicagotech.net (our network domain name is chicagotech.local)?. I can’t figure out how to do that. Any suggestions?

Here is the Cisco ASA configuration.

ASA Version 7.0(5)

!
hostname ciscoasa
domain-name default.domain.invalid
names
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address x.x.x.38 255.255.255.248
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 192.168.0.250 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 no ip address
 management-only
!
ftp mode passive
access-list out_to_inside extended permit tcp any host x.x.x.34 eq www
access-list out_to_inside extended permit tcp any host x.x.x.34 eq 8080
access-list out_to_inside extended permit tcp any host x.x.x.34 eq 8383
access-list out_to_inside extended permit tcp any host x.x.x.35 eq www
access-list out_to_inside extended permit tcp any host x.x.x.34 eq smtp
access-list out_to_inside extended permit tcp any host x.x.x.34 eq pop3
access-list out_to_inside extended permit tcp any host x.x.x.34 eq 3389
access-list out_to_inside extended permit tcp any host x.x.x.34 eq 13001
access-list out_to_inside extended permit tcp any host x.x.x.35 eq 13001
access-list out_to_inside extended permit tcp any host x.x.x.35 eq 3389
access-list out_to_inside extended permit tcp any host x.x.x.35 eq pop3
access-list out_to_inside extended permit tcp any host x.x.x.35 eq smtp
access-list out_to_inside extended permit tcp any host x.x.x.35 eq 8383
pager lines 24
logging asdm informational
mtu management 1500
mtu Inside 1500
mtu Outside 1500
asdm image disk0:/asdm505.bin
no asdm history enable
arp timeout 14400
global (Outside) 10 interface
nat (management) 10 0.0.0.0 0.0.0.0
nat (Inside) 10 0.0.0.0 0.0.0.0
static (Inside,Outside) x.x.x.34 192.168.0.213 netmask 255.255.255.255
static (Inside,Outside) x.x.x.35 192.168.0.112 netmask 255.255.255.255
access-group out_to_inside in interface Outside
route Outside 0.0.0.0 0.0.0.0 x.x.x.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
0
Comment
Question by:blin2000
  • 2
  • 2
5 Comments
 
LVL 32

Accepted Solution

by:
rsivanandan earned 50 total points
ID: 16928691
1. Either you can do it by modifying the DNS and add a record

OR

Let ASA know that you are trying to reach the internal machine by modifying the following static NAT;

static (Inside,Outside) x.x.x.35 192.168.0.112 netmask 255.255.255.255

change the above to;

static (Inside,Outside) tcp x.x.x.35 www 192.168.0.112 www DNS netmask 255.255.255.255
                                                                                        ^^^

Cheers,
Rajesh                                                                                        
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 50 total points
ID: 16929445
>Is it possible the inside computers can access our web site using the public IP address?
No, internal users cannot access your web site using the public IP address.
However, as Rajesh showed above -
IF your internal users use an external DNS server (i.e. from the ISP) then the PIX can "doctor" the dns response as it comes back in to resolve that public name to the private IP you show in the static. The client then initiates contact to the servers private IP address, never the public IP directly.

If you have an internal DNS server, it is easier/faster to just create your own A record for www.yourcompany.com that resolves to the private IP address.
0
 
LVL 7

Author Comment

by:blin2000
ID: 16929743
Thank you, Rajesh and Irmoore.

The issue now is how I create the A record because the our network domain name and web domain name are different. Do you mean CNAME?
0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 50 total points
ID: 16929916
Yeah by adding a CNAME you can do it. If your web domain name is different, I guess you'll have to create a zone for it in your domain and in that you'll have to create the record.


Cheers,
Rajesh
0
 
LVL 7

Author Comment

by:blin2000
ID: 16939162
Thank you. That works.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
info required for port scans 1 47
Windows Firewall - Rule created ports still not opemn 5 75
Filezilla server wont allow me to connect to it 2 55
DDOS against DYN 9 128
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question