Solved

Cisco ASA 9.1 NAT issue

Posted on 2014-04-16
3
5,057 Views
Last Modified: 2014-04-17
I have a website hosted internally (inside). I have configured public access (Cogent) to the internal website. This is working fine without any issues.

I have a guest Wi-Fi subnet ((WAP) configured on another ASA interface. My challenge is allowing the users on the guest Wi-Fi to browse to the internal website using the website's external url. There is no issue browsing to the internet in general whilst on the guest Wi-Fi.

Please help. Result of packet trace is below. Also, the relevant firewall config.

FW# packet-tracer input WAP tcp 192.168.99.154 12345 31.88.88.58 443

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   31.88.88.58    255.255.255.255 identity

Result:
input-interface: WAP
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate


Here is the ASA config

interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.1.1.254 255.255.255.0
!
interface Ethernet0/3
 speed 100
 duplex full
 nameif Cogent
 security-level 0
 ip address 31.88.88.58 255.255.255.248
!
interface Management0/0
 description Trunking Interface
 no nameif
 no security-level
 no ip address
!
interface Management0/0.3
 description Public Wi-Fi
 vlan 99
 nameif WAP
 security-level 10
 ip address 192.168.99.1 255.255.255.0 standby 192.168.99.2
!
object service HTTP
 service tcp destination eq www
object service HTTPS
 service tcp destination eq https
object network exchange_server
 host 10.1.1.12
object network metamark_data_cogent
 subnet 10.1.1.0 255.255.255.0
object network wap_subnet_cogent
 subnet 192.168.99.0 255.255.255.0
object network exchange_server_smtp
 host 10.1.1.12
object network exchange_server_http
 host 10.1.1.12
object network exchange_server_https
 host 10.1.1.12
object network exchange_server_imap4
 host 10.1.1.12
object network exchange_server_587
 host 10.1.1.12
object network EXT_Int
 host 31.88.88.58
object network exchange_server_waphttp
 host 10.1.1.12
object network exchange_server_waphttps
 host 10.1.1.12

access-list Cogent_acl extended permit tcp any4 object exchange_server eq https
access-list Cogent_acl extended permit tcp any4 object exchange_server eq www
access-list Cogent_acl extended permit tcp any4 object exchange_server eq imap4
access-list Cogent_acl extended permit tcp any4 object exchange_server eq 587
access-list Cogent_acl extended permit icmp any4 any4 echo-reply

access-list wap_acl extended permit tcp any4 host 10.1.1.12 eq https
access-list wap_acl extended permit tcp any4 host 10.1.1.12 eq www
access-list wap_acl extended permit ip any4 any4

nat (inside,outside) source static exchange_server interface service SMTP SMTP
nat (inside,outside) source static exchange_server interface service HTTPS HTTPS
nat (inside,outside) source static exchange_server interface service HTTP HTTP
nat (inside,outside) source static exchange_server interface service IMAP4 IMAP4
nat (inside,outside) source static exchange_server interface service 587 587
nat (inside,outside) source static exchange_server interface service 3101 3101
nat (inside,Cogent) source static exchange_server interface service HTTPS HTTPS
nat (inside,Cogent) source static exchange_server interface service IMAP4 IMAP4
nat (inside,Cogent) source static exchange_server interface service 3101 3101
nat (inside,Cogent) source static exchange_server interface service HTTP HTTP
nat (inside,Cogent) source static exchange_server interface service 587 587
nat (inside,WAP) source static exchange_server EXT_Int service HTTP HTTP
nat (inside,WAP) source static exchange_server EXT_Int service HTTPS HTTPS
!
object network metamark_data_cogent
 nat (inside,Cogent) dynamic interface
object network wap_subnet_cogent
 nat (WAP,Cogent) dynamic 31.88.88.62
object network exchange_server_smtp
 nat (inside,Cogent) static interface service tcp smtp smtp
object network exchange_server_http
 nat (inside,Cogent) static interface service tcp www www
object network exchange_server_https
 nat (inside,Cogent) static interface service tcp https https
object network exchange_server_waphttp
 nat (inside,WAP) static interface service tcp www www
object network exchange_server_waphttps
 nat (inside,WAP) static interface service tcp https https
access-group Cogent_acl in interface Cogent
access-group wap_acl in interface WAP

Regards
0
Comment
Question by:BayStateIT
  • 2
3 Comments
 
LVL 20

Expert Comment

by:rauenpc
Comment Utility
There are three ways I know of to do this. One would be to run multiple contexts. This works great, but many times requires licensing and a fair amount of config work.

Another would be to allow guest users access to your internal DNS servers, limit them to DNS queries only, and then they will get internal results and you would just have to allow that traffic between the interfaces.

The other method is to use dns doctoring. This would require a one-to-one nat, however, and all of your current nat statements appear to use port forwarding/PAT. Below is a DNS doctoring example.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115753-dns-doctoring-asa-config.html
0
 

Author Comment

by:BayStateIT
Comment Utility
Thanks for your response, Rauenpc

I would greatlyappreciate it if you could provide an example based on the sample config I posted.

Regards
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
Comment Utility
For your example, to implement DNS doctoring or rewrite, you would first need to change your nat statements to be a static nat.

no nat (inside,outside) source static exchange_server interface service SMTP SMTP
no nat (inside,outside) source static exchange_server interface service HTTPS HTTPS
no nat (inside,outside) source static exchange_server interface service HTTP HTTP
no nat (inside,outside) source static exchange_server interface service IMAP4 IMAP4
no nat (inside,outside) source static exchange_server interface service 587 587
no nat (inside,outside) source static exchange_server interface service 3101 3101
no nat (inside,Cogent) source static exchange_server interface service HTTPS HTTPS
no nat (inside,Cogent) source static exchange_server interface service IMAP4 IMAP4
no nat (inside,Cogent) source static exchange_server interface service 3101 3101
no nat (inside,Cogent) source static exchange_server interface service HTTP HTTP
no nat (inside,Cogent) source static exchange_server interface service 587 587
no nat (inside,WAP) source static exchange_server EXT_Int service HTTP HTTP
no nat (inside,WAP) source static exchange_server EXT_Int service HTTPS HTTPS

object network exchange_server
 host 10.1.1.12
nat (inside,outside) static your-outside-ip-address dns
!the outside IP is not the interface IP but another available public IP

object network exchange_server-Cog
 host 10.1.1.12
nat (inside,Cogent) static 31.88.88.xx dns
!the Cogent IP is not the interface IP but another available public IP


With these changes, the exchange server will have a one-to-one NAT on both external interfaces. This means that all your records would need to change to reflect that change so all MX records, all A records, and reverse DNS records would need to change.
With this all in place, whenever a dns response goes across the ASA and has a reply of either external IP that you have in the nat statements, it will re-write the response to have 10.1.1.12. So users on the guest network will use the FQDN as per the norm, but unlike normal they will receive a response of the real IP causing them to go directly to the server. You will also need to appropriate rules in place to allow the direct traffic. A simple nat exemption for the traffic, and permit rules on the WAP interface should be enough.

Here's another possible way to do this. If you can't change the external IP of the Exchange server through the nat statements, is there an alternate URL that you could give the guest users? I've had customers configure bogus DNS records to provide DNS doctoring. For example, I had a customer create an external DNS record of guest.company.com which resolved to 1.1.1.1 (no joke.. it actually resolved to 1.1.1.1). I created a static nat from an internal IP to 1.1.1.1 with the DNS option. This happened to be a guest portal for wireless access that needed a valid certificate. Because the nat entry went to a bogus IP, the internal IP would never actually be able to gain internet access, but in this case it didn't matter. All that mattered was that when a guest was redirected to the url https://guest.company.com, the real DNS reply would be 1.1.1.1 but the ASA modified it to the internal ip and guests went directly to the guest portal page without any errors.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now