Solved

Problem with accessing web server using public IP address from inside of the network

Posted on 2011-02-23
10
1,673 Views
Last Modified: 2012-05-11
Hi, I have a problem regarding configuration of Cisco ASA 5505 security device.

The case is as follows. There is a web server inside the office. I created rule for port 80 to allow traffic from outside to inside and created Static NAT rule to point to internal IP address of the web server from outside. It works fine. People from outside the office can access the web server by domain name or public IP address.

The problem starts when someone from inside the Company wants to access the web server. The server is not accessible neither by using public IP address or domain name.

I check the trace route and it get stuck on the Firewall, the CISCO ASA 5505. It seems to be that
I cannot connect from inside to outside and back to inside.

Can anyone help on that?

Thank you for your help.
0
Comment
Question by:rkanabus
10 Comments
 
LVL 3

Expert Comment

by:overdrive79
ID: 34967654
There are 3 ways you can accomplish this.  I will start with the simplest to most complex.

First off, you can fix this by either internal DNS to point to the internal server IP.  

Secondly, If you don't have an internal DNS, and you have a small operation, you can accomplish the same by changing the HOST file (C:\Widnows\System32\Drivers\Etc\hosts) to address the website to the internal IP.  

The most complex answer,  you will need to create/modify the NAT rule to allow the internal interface to talk to the external IP.      (example:  static (inside,inside) public_ip private_ip netmask 255.255.255.255)  This is not the recommended solution though, if possible, choose one of the first two solutions.



0
 

Author Comment

by:rkanabus
ID: 34967706
Thank you for your answer,

I think the first or last option is the best since the office is quite big and changing host file on each PC will be very time consuming.

Do you know how to change the DNS settings on internal server? It is Windows Server 2008.
For the last one, why it is not recommended solution? It sounds good and simple.



0
 
LVL 3

Accepted Solution

by:
overdrive79 earned 167 total points
ID: 34967942
To change the internal dns, you will need to create an A record for the full web address.  The only time you will not want to do this is if your local domain is the same as the web domain, but the default domain names now end with .local instead of .com.

The reason why you will not want to use the NAT rule is because it will always route anything you send to your external IP thru the external interface and you may notice a hit in overall network performance.
0
 

Author Comment

by:rkanabus
ID: 34968129
OK, so I will play around the DNS settings then.

Thank you for the answer
0
 
LVL 8

Assisted Solution

by:pgolding00
pgolding00 earned 166 total points
ID: 34977231
thie third option is not valid. pix and asa do not support sending a packet back out the interface it arrived from, unless that packet first arrived via vpn, or if that packet will be sent out via vpn, or if it arrived via AND will be sent via vpn.

from your description and your comment that the internal server can be accessed from the internet, presumably using its internet dns name, you have a static translation for the server. depending on the firewall version, the fixup dns or service-policy is able to translate dns "a" record responses that pass through the firewall based on the configured static translations. so check your static (or nat, if version 8.3, 8.4) statements for dns doctoring:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 6

Expert Comment

by:Mistralol
ID: 34978608

I would almost suggest ignoring the dns hack and go for a full solution but i am yet to get one of these to work on a cisco router.

The problem with the dns hack that i have is around iphone being used internal on a wireless network where the iphone will drop the wifi connection then cache the external dns record. When connected to the internal network it still attempts to use the external address because it is cached. It really isn't a solution from my point of view.

0
 

Author Comment

by:rkanabus
ID: 34978873
Thank you for your help, I will spend some time tonight and try to fix the ASA as pgolding00 proposed and will back with comments.
0
 

Author Comment

by:rkanabus
ID: 34992891
Hi, I tried to do something with CISCO ASA, but I have version 7.x.x but it did not work.

I decided to change the internal DNS to solve the issue and now it works perfect.

To change the DNS settings I had to add new forward lookup zone with the name of the domain e.g. www.website.com and then add new HOST A (left the name blank) and add the IP Address of local server.

It did the trick and it works fine for me.

Thank you for your help.
0
 
LVL 1

Assisted Solution

by:orbistechnology
orbistechnology earned 167 total points
ID: 34993902
In your static statement which binds your internal IP and port to an external IP / interface and port, end the command with the "dns" keyword.

Your ASA will detect a DNS lookup that returns a value for an IP address on your outside interface, search for any mappings, and modify the DNS reply to guide your internal user to your internal IP address.

This is the replacement to the older alias command, which as of 8.2.4 still exists.

Does not require modifications to internal DNS.  I find maintaining split DNS systems to cause much hair pulling when resources are readdressed.  

Latest software is 8.4.1 - major NAT changes.  Good luck!
0
 

Author Comment

by:rkanabus
ID: 35125643
Thank you for your comments I will try to solve the issue with ASA but in a mean time I use temporary solution with DNS trick.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This is a video describing the growing solar energy use in Utah. This is a topic that greatly interests me and so I decided to produce a video about it.

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now