[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Using an ASA 5505, internal users cannot access the website using the  FQDN (www.example.com) but can using the internal IP (192.168.111.111).  External users can use the FQDN but not the internal IP.

Posted on 2008-06-11
15
Medium Priority
?
2,619 Views
Last Modified: 2008-06-16
I have an ASA 5505 configured to use PAT.

There are static routes to translate the external IP / port into an internal IP / port.

e.g. static (inside,outside) tcp interface www 192.168.111.111 www netmask 255.255.255.255 0 0
e.g. static (inside,outside) tcp interface https 192.168.111.112 https netmask 255.255.255.255 0 0

There are also access-list entries to permit the traffic.

e.g. access-list 101 permit tcp any any eq www
e.g. access-list 101 permit tcp any any eq https
access-group 101 in interface outside

I've run these commands as well:

global (outside) 1 interface
global (inside) 1 interface
nat (inside) 1 192.168.111.0 255.255.255.0
same-security-traffic permit intra-interface

The problem I am experiencing is as follows:

External users (e.g. me from home) can access the website by typing the FQDN (www.example.com) into a browser.

When a user on the inside interface (192.168.111.0/24) types the FQDN for our website into a browser, an external DNS servers return the outside interface IP (74.74.74.74).

When trying to access the website with this IP, traffic is dropped.

Using packet tracer, I notice that Route-Lookup states:

in 74.74.74.74 255.255.255.255 identity

and access-list says:

action - drop
config
implicit rule

If I try a packet trace for 74.74.74.75 then the route lookup states:

in 0.0.0.0 0.0.0.0 outside

and access-list says:

action - allow
config
access-group inside_acl in interface inside
access-list inside_acl extended permit ip any any



To add to my confusion, a packet trace for packets destined to an SSH, HTTPS, or telnet port are allowed to flow through.

The access-list in these cases states:

action - allow
config
implicit rule


I'm fairly certain this is a common requirement and my problem can likely be easily and quickly solved, however, the correct configuration eludes me.

Any help is greatly appreciated.

- Aaron
0
Comment
Question by:aarontsung
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 4
15 Comments
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 900 total points
ID: 21760945
Simply add the "dns" keyword to your static statements to enable "DNS doctoring".  The ASA rewrites the DNS reply from the external DNS server so your internal clients resolve the site to the internal IP of the server.

static (inside,outside) x.x.x.x y.y.y.y netmask 255.255.255.255 dns
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21761061
External users will not be able to access the server using its internal IP, those addresses are not route-able on the internet. They should be able to use the external IP address however.

Regarding the internal FQDN issue, are you by any chance running a windows domain with the same FQDN as the website? If this is the case you need to add a www record in DNS internally for the FQDN of the website and have it resolve to the internal IP.

If the domain FQDN is different, then you are most likely experiencing a routing issue, the ASA does not allow traffic out and back in the same interface, if you cannot resolve this with an internal DNS modification, you could add the following command to the asa to allow the requests back in. This is neither the most ideal or the efficient solution however.

same-security-traffic permit intra-interface
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21761084
JFrederick29's solution would work to =)
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:aarontsung
ID: 21761534
JFrederick29:

I've executed the following commands, and still cannot access the website internally using the FQDN.

no static (inside,outside) tcp interface www 192.168.123.111 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.123.111 www netmask 255.255.255.255 dns

The packet tracer is showing the same results.

raptorjb007:

I understand that external users should not be able to access the internal (RFC1918) IP.

The Windows SBS server is running as a .local domain.

I've also already applied the setting you suggested.

"I've run these commands as well:

...
same-security-traffic permit intra-interface"



0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 21761567
Verify you have DNS inspection turned on.

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
0
 

Author Comment

by:aarontsung
ID: 21761831
JFrederick29:

I've got:

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map



I've attached a more or less complete running-config.

Any idea what I'm doing wrong?
ciscoasa# show running-config
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
enable password bivuDDZY8S4bcY9S encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.123.2 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group Bellnet
 ip address pppoe setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit intra-interface
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list 101 extended permit tcp any any eq www
access-list 101 extended permit tcp any any eq smtp
access-list 101 extended permit tcp any any eq pop3
access-list 101 extended permit tcp any any eq 951
access-list 101 extended permit tcp any any eq https
access-list 101 extended permit tcp any any eq 59002
access-list 101 extended permit tcp any any eq 59001
access-list 101 extended permit tcp any any eq 59008
access-list 101 extended permit tcp any any eq 59006
access-list 101 extended permit tcp any any eq 59011
access-list inside_nat0_outbound extended permit ip 192.168.123.0 255.255.255.0 192.168.124.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.123.0 255.255.255.0 192.168.129.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.123.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 192.168.123.1 192.168.123.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.123.0 255.255.255.0 192.168.124.0 255.255.255.0
access-list FieldIPSEC_splitTunnelAcl standard permit host 192.168.123.1
access-list inside_acl extended permit ip 192.168.123.0 255.255.255.0 192.168.123.0 255.255.255.0
access-list inside_acl extended permit ip any any
access-list inside_acl extended permit object-group TCPUDP 192.168.123.0 255.255.255.0 interface outside eq www
access-list acl_outside_in extended permit icmp any any echo-reply
access-list acl_outside_in extended permit icmp any any unreachable
access-list acl_outside_in extended permit icmp any any time-exceeded
access-list RemoteFieldUsers_splitTunnelAcl standard permit any
access-list outside_cryptomap_4 extended permit ip 192.168.123.0 255.255.255.0 192.168.129.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNPool 192.168.123.60-192.168.123.75 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.123.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 192.168.123.239 www netmask 255.255.255.255  dns
static (inside,outside) tcp interface smtp 192.168.123.1 smtp netmask 255.255.255.255  dns
static (inside,outside) tcp interface pop3 192.168.123.1 pop3 netmask 255.255.255.255  dns
static (inside,outside) tcp interface 951 192.168.123.1 951 netmask 255.255.255.255  dns
static (inside,outside) tcp interface https 192.168.123.1 https netmask 255.255.255.255  dns
static (inside,outside) tcp interface 59002 192.168.123.183 59002 netmask 255.255.255.255  dns
static (inside,outside) tcp interface 59001 192.168.123.194 59001 netmask 255.255.255.255  dns
static (inside,outside) tcp interface 59008 192.168.123.1 59008 netmask 255.255.255.255  dns
static (inside,outside) tcp interface 59006 192.168.123.237 59006 netmask 255.255.255.255  dns
static (inside,outside) tcp interface 59011 192.168.123.239 59011 netmask 255.255.255.255  dns
access-group inside_acl in interface inside
access-group 101 in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.123.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-S
HA ESP-DES-MD5
crypto map outside_map 2 ipsec-isakmp dynamic *.*.com
crypto map outside_map 5 match address outside_cryptomap_4
crypto map outside_map 5 set pfs group1
crypto map outside_map 5 set peer *.*.*.*
crypto map outside_map 5 set transform-set ESP-DES-MD5
crypto map outside_map 5 set nat-t-disable
crypto map outside_map 5 set phase1-mode aggressive group1
crypto map outside_map 5 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 9
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.123.183 255.255.255.255 inside
telnet timeout 5
ssh 192.168.123.183 255.255.255.255 inside
ssh timeout 5
console timeout 0
vpdn group Bellnet request dialout pppoe
vpdn group Bellnet localname ********
vpdn group Bellnet ppp authentication pap
vpdn username ********** password ********* store-local
dhcpd auto_config outside
!
dhcpd address 192.168.123.3-192.168.123.254 inside
dhcpd auto_config outside interface inside
!
 
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
ntp server 71.32.26.52 source outside prefer
webvpn
 port 444
 enable outside
 dtls port 444
 svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1
 svc enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-network-list value RemoteFieldUsers_splitTunnelAcl
 webvpn
  url-list value Database
  svc rekey method ssl
  svc ask none default svc
group-policy WebVPNPolicy internal
group-policy WebVPNPolicy attributes
 vpn-tunnel-protocol svc webvpn
 webvpn
  url-list value Database
  svc keep-installer installed
  svc rekey time 30
  svc rekey method ssl
  svc ask enable default svc timeout 5
group-policy RemoteFieldUsers internal
group-policy RemoteFieldUsers attributes
 wins-server value 192.168.123.1
 dns-server value 192.168.123.1 *.*.*.*
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RemoteFieldUsers_splitTunnelAcl
 default-domain value myDomain.local
group-policy FieldIPSEC internal
group-policy FieldIPSEC attributes
 wins-server value 192.168.123.1
 dns-server value 192.168.123.1
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value FieldIPSEC_splitTunnelAcl
 default-domain value myDomain.local
username aaronk password FY42o6sFgknqVKkN encrypted privilege 15
username aaronk attributes
 vpn-group-policy FieldIPSEC
 vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group DefaultRAGroup general-attributes
 address-pool (outside) VPNPool
 address-pool VPNPool
 authorization-server-group LOCAL
 dhcp-server 192.168.123.1
 strip-realm
 password-management
 override-account-disable
 strip-group
 authorization-required
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool VPNPool
 authorization-server-group LOCAL
 strip-realm
 password-management
 override-account-disable
 strip-group
 authorization-required
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 radius-reject-message
tunnel-group FieldIPSEC type remote-access
tunnel-group FieldIPSEC general-attributes
 address-pool VPNPool
 default-group-policy FieldIPSEC
tunnel-group FieldIPSEC ipsec-attributes
 pre-shared-key *
tunnel-group RemoteFieldUsers type remote-access
tunnel-group RemoteFieldUsers general-attributes
 address-pool VPNPool
 default-group-policy RemoteFieldUsers
tunnel-group RemoteFieldUsers ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:1d4391905b787fcdc02f459e9066ab24
: end

Open in new window

0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 900 total points
ID: 21761902
You may need to clear your DNS cache on your PC's.  Do an ipconfig /flushdns or reboot your PC then do an nslookup for your website.  You should get the internal IP address.
0
 
LVL 6

Assisted Solution

by:raptorjb007
raptorjb007 earned 600 total points
ID: 21761906
Is the primary DNS your clients using for resolution an internal server or external?
0
 

Author Comment

by:aarontsung
ID: 21762235
The nslookup produced the external IP.

raptorib007's questions made clear one of the problems.

I am running on a dev server that uses the local DNS server.  Every other machine uses the production SBS server's DNS.

I added an A record to the SBS's DNS so the FQDN resolves to the computer hosting the website.

What I'd like to do is:

Change that A record to point to the ASA's internal IP (192.168.123.2).

Then, have the ASA perform PAT on the traffic.

E.g. www.example.com:1234 should resolve to 192.168.123.2:1234
which should then be translated to 192.168.123.239:1234

I've tried adding:

static (inside,inside) tcp interface www 192.168.123.239 www netmask 255.255.255.255 0 0

but it didn't work as expected.

The packet tracer shows the first error at the NAT-Exempt stage. It states:

config
nat (inside) 0 access-list inside_nat0_outbound
match up inside any inside 192.168.123.0 255.255.255.0
nat exempt
translate_hits = 27, untranslate_hits = 0
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 21762277
Ah, okay, it sounded like you were using external DNS servers.  Why not just add the A record to your internal DNS server and be done with it?
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 900 total points
ID: 21762296
By the way, if you clear cache on your internal DNS servers and you have forwarders to external DNS servers, the DNS rewrite should work.
0
 

Author Comment

by:aarontsung
ID: 21762328
I've added a record to the internal DNS server, but I still can't produce the desired behaviour.

The DNS record resolves the FQDN to an internal IP just fine -- ir returns the internal interface of the ASA.

That alone isn't enough.

Using VNC as an example, I want to be able to use www.example.com:5900 to VNC into 192.168.123.1:5900 and www.example.com:5901 to VNC into 192.168.123.3:5901

Adding static routes for (inside,inside) doesn't PAT the traffic like I'd hoped, and I'm not quite sure what else to try.

To clarify, I want internal users to be able to type:

http://192.168.123.2:5900   

and have the router establish a connection with

http://192.168.123.111:5901

Thanks,

Aaron
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 900 total points
ID: 21762455
Why not use A records for each connection you are trying to establish:

vnc1.example.com  <--resolves to 192.168.123.1
vnc2.example.com  <--resolves to 192.168.123.3
www.example.com  <--resolves to 192.168.111.111
etc...
0
 

Author Comment

by:aarontsung
ID: 21762584
JFrederick29:

Although that would certainly allow me to access the various computers, it would not replicate the external functionality.

The real issue here is I don't want to make seperate sets of instructions for connecting to resources internally vs. externally (and since there is only one public IP, it should work with only one FQDN).

If this isn't possible to do (although, I suspect this is a routine and striaght foreward request) I can certainly create sub domains and point them all to the external IP (in externally hosted DNS), and point the internal DNS server records to the correct internal IPs.
0
 
LVL 6

Assisted Solution

by:raptorjb007
raptorjb007 earned 600 total points
ID: 21762722
If you internal DNS server has a zone configured for the FQDN you are experiencing a problem with, you do not have much choice other than to manage the records both internally and externally.

If you internal DNS server is simply forwarding DNS queries to an internet DNS server, adding "dns" to the end of your static translations should resolve that issue as it configures the ASA to modify the DNS query and respond with the internally mapped IP, however I do not believe this works properly with PAT based port mappings, only static ip to ip NAT translations.

So really, you could use an internal DNS server, create and manage a zone for your FQDN and forward all other looks to an external server. Or you can try to convert the PAT translations for the servers you are having trouble with to static NAT translations and add the word "dns" to the end of the translation to enable dns reply modification on the ASA.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question