Solved

Using an ASA 5505, internal users cannot access the website using the  FQDN (www.example.com) but can using the internal IP (192.168.111.111).  External users can use the FQDN but not the internal IP.

Posted on 2008-06-11
15
2,589 Views
Last Modified: 2008-06-16
I have an ASA 5505 configured to use PAT.

There are static routes to translate the external IP / port into an internal IP / port.

e.g. static (inside,outside) tcp interface www 192.168.111.111 www netmask 255.255.255.255 0 0
e.g. static (inside,outside) tcp interface https 192.168.111.112 https netmask 255.255.255.255 0 0

There are also access-list entries to permit the traffic.

e.g. access-list 101 permit tcp any any eq www
e.g. access-list 101 permit tcp any any eq https
access-group 101 in interface outside

I've run these commands as well:

global (outside) 1 interface
global (inside) 1 interface
nat (inside) 1 192.168.111.0 255.255.255.0
same-security-traffic permit intra-interface

The problem I am experiencing is as follows:

External users (e.g. me from home) can access the website by typing the FQDN (www.example.com) into a browser.

When a user on the inside interface (192.168.111.0/24) types the FQDN for our website into a browser, an external DNS servers return the outside interface IP (74.74.74.74).

When trying to access the website with this IP, traffic is dropped.

Using packet tracer, I notice that Route-Lookup states:

in 74.74.74.74 255.255.255.255 identity

and access-list says:

action - drop
config
implicit rule

If I try a packet trace for 74.74.74.75 then the route lookup states:

in 0.0.0.0 0.0.0.0 outside

and access-list says:

action - allow
config
access-group inside_acl in interface inside
access-list inside_acl extended permit ip any any



To add to my confusion, a packet trace for packets destined to an SSH, HTTPS, or telnet port are allowed to flow through.

The access-list in these cases states:

action - allow
config
implicit rule


I'm fairly certain this is a common requirement and my problem can likely be easily and quickly solved, however, the correct configuration eludes me.

Any help is greatly appreciated.

- Aaron
0
Comment
Question by:aarontsung
  • 6
  • 5
  • 4
15 Comments
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 300 total points
ID: 21760945
Simply add the "dns" keyword to your static statements to enable "DNS doctoring".  The ASA rewrites the DNS reply from the external DNS server so your internal clients resolve the site to the internal IP of the server.

static (inside,outside) x.x.x.x y.y.y.y netmask 255.255.255.255 dns
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21761061
External users will not be able to access the server using its internal IP, those addresses are not route-able on the internet. They should be able to use the external IP address however.

Regarding the internal FQDN issue, are you by any chance running a windows domain with the same FQDN as the website? If this is the case you need to add a www record in DNS internally for the FQDN of the website and have it resolve to the internal IP.

If the domain FQDN is different, then you are most likely experiencing a routing issue, the ASA does not allow traffic out and back in the same interface, if you cannot resolve this with an internal DNS modification, you could add the following command to the asa to allow the requests back in. This is neither the most ideal or the efficient solution however.

same-security-traffic permit intra-interface
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21761084
JFrederick29's solution would work to =)
0
 

Author Comment

by:aarontsung
ID: 21761534
JFrederick29:

I've executed the following commands, and still cannot access the website internally using the FQDN.

no static (inside,outside) tcp interface www 192.168.123.111 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.123.111 www netmask 255.255.255.255 dns

The packet tracer is showing the same results.

raptorjb007:

I understand that external users should not be able to access the internal (RFC1918) IP.

The Windows SBS server is running as a .local domain.

I've also already applied the setting you suggested.

"I've run these commands as well:

...
same-security-traffic permit intra-interface"



0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 21761567
Verify you have DNS inspection turned on.

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
0
 

Author Comment

by:aarontsung
ID: 21761831
JFrederick29:

I've got:

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map



I've attached a more or less complete running-config.

Any idea what I'm doing wrong?
ciscoasa# show running-config

: Saved

:

ASA Version 8.0(2)

!

hostname ciscoasa

enable password bivuDDZY8S4bcY9S encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.123.2 255.255.255.0

!

interface Vlan2

 nameif outside

 security-level 0

 pppoe client vpdn group Bellnet

 ip address pppoe setroute

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

same-security-traffic permit intra-interface

object-group protocol TCPUDP

 protocol-object udp

 protocol-object tcp

access-list 101 extended permit tcp any any eq www

access-list 101 extended permit tcp any any eq smtp

access-list 101 extended permit tcp any any eq pop3

access-list 101 extended permit tcp any any eq 951

access-list 101 extended permit tcp any any eq https

access-list 101 extended permit tcp any any eq 59002

access-list 101 extended permit tcp any any eq 59001

access-list 101 extended permit tcp any any eq 59008

access-list 101 extended permit tcp any any eq 59006

access-list 101 extended permit tcp any any eq 59011

access-list inside_nat0_outbound extended permit ip 192.168.123.0 255.255.255.0 192.168.124.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.123.0 255.255.255.0 192.168.129.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 192.168.123.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip host 192.168.123.1 192.168.123.0 255.255.255.0

access-list outside_cryptomap extended permit ip 192.168.123.0 255.255.255.0 192.168.124.0 255.255.255.0

access-list FieldIPSEC_splitTunnelAcl standard permit host 192.168.123.1

access-list inside_acl extended permit ip 192.168.123.0 255.255.255.0 192.168.123.0 255.255.255.0

access-list inside_acl extended permit ip any any

access-list inside_acl extended permit object-group TCPUDP 192.168.123.0 255.255.255.0 interface outside eq www

access-list acl_outside_in extended permit icmp any any echo-reply

access-list acl_outside_in extended permit icmp any any unreachable

access-list acl_outside_in extended permit icmp any any time-exceeded

access-list RemoteFieldUsers_splitTunnelAcl standard permit any

access-list outside_cryptomap_4 extended permit ip 192.168.123.0 255.255.255.0 192.168.129.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPNPool 192.168.123.60-192.168.123.75 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (inside) 1 interface

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.123.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface www 192.168.123.239 www netmask 255.255.255.255  dns

static (inside,outside) tcp interface smtp 192.168.123.1 smtp netmask 255.255.255.255  dns

static (inside,outside) tcp interface pop3 192.168.123.1 pop3 netmask 255.255.255.255  dns

static (inside,outside) tcp interface 951 192.168.123.1 951 netmask 255.255.255.255  dns

static (inside,outside) tcp interface https 192.168.123.1 https netmask 255.255.255.255  dns

static (inside,outside) tcp interface 59002 192.168.123.183 59002 netmask 255.255.255.255  dns

static (inside,outside) tcp interface 59001 192.168.123.194 59001 netmask 255.255.255.255  dns

static (inside,outside) tcp interface 59008 192.168.123.1 59008 netmask 255.255.255.255  dns

static (inside,outside) tcp interface 59006 192.168.123.237 59006 netmask 255.255.255.255  dns

static (inside,outside) tcp interface 59011 192.168.123.239 59011 netmask 255.255.255.255  dns

access-group inside_acl in interface inside

access-group 101 in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.123.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-S

HA ESP-DES-MD5

crypto map outside_map 2 ipsec-isakmp dynamic *.*.com

crypto map outside_map 5 match address outside_cryptomap_4

crypto map outside_map 5 set pfs group1

crypto map outside_map 5 set peer *.*.*.*

crypto map outside_map 5 set transform-set ESP-DES-MD5

crypto map outside_map 5 set nat-t-disable

crypto map outside_map 5 set phase1-mode aggressive group1

crypto map outside_map 5 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 9

 authentication pre-share

 encryption des

 hash md5

 group 1

 lifetime 86400

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

no crypto isakmp nat-traversal

telnet 192.168.123.183 255.255.255.255 inside

telnet timeout 5

ssh 192.168.123.183 255.255.255.255 inside

ssh timeout 5

console timeout 0

vpdn group Bellnet request dialout pppoe

vpdn group Bellnet localname ********

vpdn group Bellnet ppp authentication pap

vpdn username ********** password ********* store-local

dhcpd auto_config outside

!

dhcpd address 192.168.123.3-192.168.123.254 inside

dhcpd auto_config outside interface inside

!
 

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

ntp server 71.32.26.52 source outside prefer

webvpn

 port 444

 enable outside

 dtls port 444

 svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1

 svc enable

group-policy DfltGrpPolicy attributes

 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

 split-tunnel-network-list value RemoteFieldUsers_splitTunnelAcl

 webvpn

  url-list value Database

  svc rekey method ssl

  svc ask none default svc

group-policy WebVPNPolicy internal

group-policy WebVPNPolicy attributes

 vpn-tunnel-protocol svc webvpn

 webvpn

  url-list value Database

  svc keep-installer installed

  svc rekey time 30

  svc rekey method ssl

  svc ask enable default svc timeout 5

group-policy RemoteFieldUsers internal

group-policy RemoteFieldUsers attributes

 wins-server value 192.168.123.1

 dns-server value 192.168.123.1 *.*.*.*

 vpn-tunnel-protocol IPSec

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value RemoteFieldUsers_splitTunnelAcl

 default-domain value myDomain.local

group-policy FieldIPSEC internal

group-policy FieldIPSEC attributes

 wins-server value 192.168.123.1

 dns-server value 192.168.123.1

 vpn-tunnel-protocol IPSec

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value FieldIPSEC_splitTunnelAcl

 default-domain value myDomain.local

username aaronk password FY42o6sFgknqVKkN encrypted privilege 15

username aaronk attributes

 vpn-group-policy FieldIPSEC

 vpn-tunnel-protocol IPSec l2tp-ipsec

tunnel-group DefaultRAGroup general-attributes

 address-pool (outside) VPNPool

 address-pool VPNPool

 authorization-server-group LOCAL

 dhcp-server 192.168.123.1

 strip-realm

 password-management

 override-account-disable

 strip-group

 authorization-required

tunnel-group DefaultWEBVPNGroup general-attributes

 address-pool VPNPool

 authorization-server-group LOCAL

 strip-realm

 password-management

 override-account-disable

 strip-group

 authorization-required

tunnel-group DefaultWEBVPNGroup webvpn-attributes

 radius-reject-message

tunnel-group FieldIPSEC type remote-access

tunnel-group FieldIPSEC general-attributes

 address-pool VPNPool

 default-group-policy FieldIPSEC

tunnel-group FieldIPSEC ipsec-attributes

 pre-shared-key *

tunnel-group RemoteFieldUsers type remote-access

tunnel-group RemoteFieldUsers general-attributes

 address-pool VPNPool

 default-group-policy RemoteFieldUsers

tunnel-group RemoteFieldUsers ipsec-attributes

 pre-shared-key *

prompt hostname context

Cryptochecksum:1d4391905b787fcdc02f459e9066ab24

: end

Open in new window

0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 300 total points
ID: 21761902
You may need to clear your DNS cache on your PC's.  Do an ipconfig /flushdns or reboot your PC then do an nslookup for your website.  You should get the internal IP address.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 6

Assisted Solution

by:raptorjb007
raptorjb007 earned 200 total points
ID: 21761906
Is the primary DNS your clients using for resolution an internal server or external?
0
 

Author Comment

by:aarontsung
ID: 21762235
The nslookup produced the external IP.

raptorib007's questions made clear one of the problems.

I am running on a dev server that uses the local DNS server.  Every other machine uses the production SBS server's DNS.

I added an A record to the SBS's DNS so the FQDN resolves to the computer hosting the website.

What I'd like to do is:

Change that A record to point to the ASA's internal IP (192.168.123.2).

Then, have the ASA perform PAT on the traffic.

E.g. www.example.com:1234 should resolve to 192.168.123.2:1234
which should then be translated to 192.168.123.239:1234

I've tried adding:

static (inside,inside) tcp interface www 192.168.123.239 www netmask 255.255.255.255 0 0

but it didn't work as expected.

The packet tracer shows the first error at the NAT-Exempt stage. It states:

config
nat (inside) 0 access-list inside_nat0_outbound
match up inside any inside 192.168.123.0 255.255.255.0
nat exempt
translate_hits = 27, untranslate_hits = 0
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 21762277
Ah, okay, it sounded like you were using external DNS servers.  Why not just add the A record to your internal DNS server and be done with it?
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 300 total points
ID: 21762296
By the way, if you clear cache on your internal DNS servers and you have forwarders to external DNS servers, the DNS rewrite should work.
0
 

Author Comment

by:aarontsung
ID: 21762328
I've added a record to the internal DNS server, but I still can't produce the desired behaviour.

The DNS record resolves the FQDN to an internal IP just fine -- ir returns the internal interface of the ASA.

That alone isn't enough.

Using VNC as an example, I want to be able to use www.example.com:5900 to VNC into 192.168.123.1:5900 and www.example.com:5901 to VNC into 192.168.123.3:5901

Adding static routes for (inside,inside) doesn't PAT the traffic like I'd hoped, and I'm not quite sure what else to try.

To clarify, I want internal users to be able to type:

http://192.168.123.2:5900  

and have the router establish a connection with

http://192.168.123.111:5901

Thanks,

Aaron
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 300 total points
ID: 21762455
Why not use A records for each connection you are trying to establish:

vnc1.example.com  <--resolves to 192.168.123.1
vnc2.example.com  <--resolves to 192.168.123.3
www.example.com  <--resolves to 192.168.111.111
etc...
0
 

Author Comment

by:aarontsung
ID: 21762584
JFrederick29:

Although that would certainly allow me to access the various computers, it would not replicate the external functionality.

The real issue here is I don't want to make seperate sets of instructions for connecting to resources internally vs. externally (and since there is only one public IP, it should work with only one FQDN).

If this isn't possible to do (although, I suspect this is a routine and striaght foreward request) I can certainly create sub domains and point them all to the external IP (in externally hosted DNS), and point the internal DNS server records to the correct internal IPs.
0
 
LVL 6

Assisted Solution

by:raptorjb007
raptorjb007 earned 200 total points
ID: 21762722
If you internal DNS server has a zone configured for the FQDN you are experiencing a problem with, you do not have much choice other than to manage the records both internally and externally.

If you internal DNS server is simply forwarding DNS queries to an internet DNS server, adding "dns" to the end of your static translations should resolve that issue as it configures the ASA to modify the DNS query and respond with the internally mapped IP, however I do not believe this works properly with PAT based port mappings, only static ip to ip NAT translations.

So really, you could use an internal DNS server, create and manage a zone for your FQDN and forward all other looks to an external server. Or you can try to convert the PAT translations for the servers you are having trouble with to static NAT translations and add the word "dns" to the end of the translation to enable dns reply modification on the ASA.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now