Solved

Port forwarding on Cisco ASA

Posted on 2009-05-08
5
470 Views
Last Modified: 2012-06-21
I'm trying to setup a port forward through an ASA firewall for a webserver. I used the guide posed here and now i can access the web server externally just fine using the external URL.
however the problem i'm having is that internal machines are not able to access the web server using the external URL.
I'm not quite sure why this is or how i can go about fixing it.

I have attached the configuration file i'm using.

Thanks
asa.txt
0
Comment
Question by:curwengroup
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24338838
Where is DNS resolution handled for the website hostname?  If external, you can use DNS rewrite.  Connect to the website by DNS name (not IP).

conf t
static (inside,outside) tcp interface www Web_Server www netmask 255.255.255.255 dns
0
 
LVL 11

Accepted Solution

by:
sysreq2000 earned 500 total points
ID: 24338855
If you have your own DNS server then the easiest way is to create DNS entries for that URL pointing to the internal IP. Then your internal clients will connect directly without going out through NAT first.

If you don't have a DNS server then you can try hosts entries. Otherwise what you're trying to do is known as hairpinning. Google cisco and hairpinning and you will find some discussions on the topic. Officially it can't be done but there are workarounds.
0
 

Author Comment

by:curwengroup
ID: 24340348
The DNS resolution is handled by en external DNS server for this domain.

I tried the DNS doctoring as described by the Cisco article
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

unfortunately it's not working for some reason, i suspect it's because i'm using an internal DNS server that forwards to other external DNS servers so the ASA does not get a chance to return the proper doctored DNS reply.

I will run a packet capture to confirm or deny.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24340942
Your internal dns server is going to cache the records and never send the request through the ASA
0
 

Author Comment

by:curwengroup
ID: 24341253
Good point on that.
I also tried setting one of my workstation with my ISP's DNS server to test it out and it did not work.
However i tried hairpinning and that seems to work just fine.

Thanks
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question