Solved

Problem with accessing web server using public IP address from inside of the network

Posted on 2011-02-23
10
1,691 Views
Last Modified: 2012-05-11
Hi, I have a problem regarding configuration of Cisco ASA 5505 security device.

The case is as follows. There is a web server inside the office. I created rule for port 80 to allow traffic from outside to inside and created Static NAT rule to point to internal IP address of the web server from outside. It works fine. People from outside the office can access the web server by domain name or public IP address.

The problem starts when someone from inside the Company wants to access the web server. The server is not accessible neither by using public IP address or domain name.

I check the trace route and it get stuck on the Firewall, the CISCO ASA 5505. It seems to be that
I cannot connect from inside to outside and back to inside.

Can anyone help on that?

Thank you for your help.
0
Comment
Question by:rkanabus
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 3

Expert Comment

by:overdrive79
ID: 34967654
There are 3 ways you can accomplish this.  I will start with the simplest to most complex.

First off, you can fix this by either internal DNS to point to the internal server IP.  

Secondly, If you don't have an internal DNS, and you have a small operation, you can accomplish the same by changing the HOST file (C:\Widnows\System32\Drivers\Etc\hosts) to address the website to the internal IP.  

The most complex answer,  you will need to create/modify the NAT rule to allow the internal interface to talk to the external IP.      (example:  static (inside,inside) public_ip private_ip netmask 255.255.255.255)  This is not the recommended solution though, if possible, choose one of the first two solutions.



0
 

Author Comment

by:rkanabus
ID: 34967706
Thank you for your answer,

I think the first or last option is the best since the office is quite big and changing host file on each PC will be very time consuming.

Do you know how to change the DNS settings on internal server? It is Windows Server 2008.
For the last one, why it is not recommended solution? It sounds good and simple.



0
 
LVL 3

Accepted Solution

by:
overdrive79 earned 167 total points
ID: 34967942
To change the internal dns, you will need to create an A record for the full web address.  The only time you will not want to do this is if your local domain is the same as the web domain, but the default domain names now end with .local instead of .com.

The reason why you will not want to use the NAT rule is because it will always route anything you send to your external IP thru the external interface and you may notice a hit in overall network performance.
0
Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

 

Author Comment

by:rkanabus
ID: 34968129
OK, so I will play around the DNS settings then.

Thank you for the answer
0
 
LVL 8

Assisted Solution

by:pgolding00
pgolding00 earned 166 total points
ID: 34977231
thie third option is not valid. pix and asa do not support sending a packet back out the interface it arrived from, unless that packet first arrived via vpn, or if that packet will be sent out via vpn, or if it arrived via AND will be sent via vpn.

from your description and your comment that the internal server can be accessed from the internet, presumably using its internet dns name, you have a static translation for the server. depending on the firewall version, the fixup dns or service-policy is able to translate dns "a" record responses that pass through the firewall based on the configured static translations. so check your static (or nat, if version 8.3, 8.4) statements for dns doctoring:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml
0
 
LVL 6

Expert Comment

by:Mistralol
ID: 34978608

I would almost suggest ignoring the dns hack and go for a full solution but i am yet to get one of these to work on a cisco router.

The problem with the dns hack that i have is around iphone being used internal on a wireless network where the iphone will drop the wifi connection then cache the external dns record. When connected to the internal network it still attempts to use the external address because it is cached. It really isn't a solution from my point of view.

0
 

Author Comment

by:rkanabus
ID: 34978873
Thank you for your help, I will spend some time tonight and try to fix the ASA as pgolding00 proposed and will back with comments.
0
 

Author Comment

by:rkanabus
ID: 34992891
Hi, I tried to do something with CISCO ASA, but I have version 7.x.x but it did not work.

I decided to change the internal DNS to solve the issue and now it works perfect.

To change the DNS settings I had to add new forward lookup zone with the name of the domain e.g. www.website.com and then add new HOST A (left the name blank) and add the IP Address of local server.

It did the trick and it works fine for me.

Thank you for your help.
0
 
LVL 1

Assisted Solution

by:orbistechnology
orbistechnology earned 167 total points
ID: 34993902
In your static statement which binds your internal IP and port to an external IP / interface and port, end the command with the "dns" keyword.

Your ASA will detect a DNS lookup that returns a value for an IP address on your outside interface, search for any mappings, and modify the DNS reply to guide your internal user to your internal IP address.

This is the replacement to the older alias command, which as of 8.2.4 still exists.

Does not require modifications to internal DNS.  I find maintaining split DNS systems to cause much hair pulling when resources are readdressed.  

Latest software is 8.4.1 - major NAT changes.  Good luck!
0
 

Author Comment

by:rkanabus
ID: 35125643
Thank you for your comments I will try to solve the issue with ASA but in a mean time I use temporary solution with DNS trick.
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question