Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 477
  • Last Modified:

Port forwarding on Cisco ASA

I'm trying to setup a port forward through an ASA firewall for a webserver. I used the guide posed here and now i can access the web server externally just fine using the external URL.
however the problem i'm having is that internal machines are not able to access the web server using the external URL.
I'm not quite sure why this is or how i can go about fixing it.

I have attached the configuration file i'm using.

Thanks
asa.txt
0
curwengroup
Asked:
curwengroup
1 Solution
 
JFrederick29Commented:
Where is DNS resolution handled for the website hostname?  If external, you can use DNS rewrite.  Connect to the website by DNS name (not IP).

conf t
static (inside,outside) tcp interface www Web_Server www netmask 255.255.255.255 dns
0
 
sysreq2000Commented:
If you have your own DNS server then the easiest way is to create DNS entries for that URL pointing to the internal IP. Then your internal clients will connect directly without going out through NAT first.

If you don't have a DNS server then you can try hosts entries. Otherwise what you're trying to do is known as hairpinning. Google cisco and hairpinning and you will find some discussions on the topic. Officially it can't be done but there are workarounds.
0
 
curwengroupAuthor Commented:
The DNS resolution is handled by en external DNS server for this domain.

I tried the DNS doctoring as described by the Cisco article
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

unfortunately it's not working for some reason, i suspect it's because i'm using an internal DNS server that forwards to other external DNS servers so the ASA does not get a chance to return the proper doctored DNS reply.

I will run a packet capture to confirm or deny.
0
 
lrmooreCommented:
Your internal dns server is going to cache the records and never send the request through the ASA
0
 
curwengroupAuthor Commented:
Good point on that.
I also tried setting one of my workstation with my ISP's DNS server to test it out and it did not work.
However i tried hairpinning and that seems to work just fine.

Thanks
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now