Solved

Problem with accessing web server using public IP address from inside of the network

Posted on 2011-02-23
10
1,667 Views
Last Modified: 2012-05-11
Hi, I have a problem regarding configuration of Cisco ASA 5505 security device.

The case is as follows. There is a web server inside the office. I created rule for port 80 to allow traffic from outside to inside and created Static NAT rule to point to internal IP address of the web server from outside. It works fine. People from outside the office can access the web server by domain name or public IP address.

The problem starts when someone from inside the Company wants to access the web server. The server is not accessible neither by using public IP address or domain name.

I check the trace route and it get stuck on the Firewall, the CISCO ASA 5505. It seems to be that
I cannot connect from inside to outside and back to inside.

Can anyone help on that?

Thank you for your help.
0
Comment
Question by:rkanabus
10 Comments
 
LVL 3

Expert Comment

by:overdrive79
ID: 34967654
There are 3 ways you can accomplish this.  I will start with the simplest to most complex.

First off, you can fix this by either internal DNS to point to the internal server IP.  

Secondly, If you don't have an internal DNS, and you have a small operation, you can accomplish the same by changing the HOST file (C:\Widnows\System32\Drivers\Etc\hosts) to address the website to the internal IP.  

The most complex answer,  you will need to create/modify the NAT rule to allow the internal interface to talk to the external IP.      (example:  static (inside,inside) public_ip private_ip netmask 255.255.255.255)  This is not the recommended solution though, if possible, choose one of the first two solutions.



0
 

Author Comment

by:rkanabus
ID: 34967706
Thank you for your answer,

I think the first or last option is the best since the office is quite big and changing host file on each PC will be very time consuming.

Do you know how to change the DNS settings on internal server? It is Windows Server 2008.
For the last one, why it is not recommended solution? It sounds good and simple.



0
 
LVL 3

Accepted Solution

by:
overdrive79 earned 167 total points
ID: 34967942
To change the internal dns, you will need to create an A record for the full web address.  The only time you will not want to do this is if your local domain is the same as the web domain, but the default domain names now end with .local instead of .com.

The reason why you will not want to use the NAT rule is because it will always route anything you send to your external IP thru the external interface and you may notice a hit in overall network performance.
0
 

Author Comment

by:rkanabus
ID: 34968129
OK, so I will play around the DNS settings then.

Thank you for the answer
0
 
LVL 8

Assisted Solution

by:pgolding00
pgolding00 earned 166 total points
ID: 34977231
thie third option is not valid. pix and asa do not support sending a packet back out the interface it arrived from, unless that packet first arrived via vpn, or if that packet will be sent out via vpn, or if it arrived via AND will be sent via vpn.

from your description and your comment that the internal server can be accessed from the internet, presumably using its internet dns name, you have a static translation for the server. depending on the firewall version, the fixup dns or service-policy is able to translate dns "a" record responses that pass through the firewall based on the configured static translations. so check your static (or nat, if version 8.3, 8.4) statements for dns doctoring:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 6

Expert Comment

by:Mistralol
ID: 34978608

I would almost suggest ignoring the dns hack and go for a full solution but i am yet to get one of these to work on a cisco router.

The problem with the dns hack that i have is around iphone being used internal on a wireless network where the iphone will drop the wifi connection then cache the external dns record. When connected to the internal network it still attempts to use the external address because it is cached. It really isn't a solution from my point of view.

0
 

Author Comment

by:rkanabus
ID: 34978873
Thank you for your help, I will spend some time tonight and try to fix the ASA as pgolding00 proposed and will back with comments.
0
 

Author Comment

by:rkanabus
ID: 34992891
Hi, I tried to do something with CISCO ASA, but I have version 7.x.x but it did not work.

I decided to change the internal DNS to solve the issue and now it works perfect.

To change the DNS settings I had to add new forward lookup zone with the name of the domain e.g. www.website.com and then add new HOST A (left the name blank) and add the IP Address of local server.

It did the trick and it works fine for me.

Thank you for your help.
0
 
LVL 1

Assisted Solution

by:orbistechnology
orbistechnology earned 167 total points
ID: 34993902
In your static statement which binds your internal IP and port to an external IP / interface and port, end the command with the "dns" keyword.

Your ASA will detect a DNS lookup that returns a value for an IP address on your outside interface, search for any mappings, and modify the DNS reply to guide your internal user to your internal IP address.

This is the replacement to the older alias command, which as of 8.2.4 still exists.

Does not require modifications to internal DNS.  I find maintaining split DNS systems to cause much hair pulling when resources are readdressed.  

Latest software is 8.4.1 - major NAT changes.  Good luck!
0
 

Author Comment

by:rkanabus
ID: 35125643
Thank you for your comments I will try to solve the issue with ASA but in a mean time I use temporary solution with DNS trick.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now