Solved

Guest VLAN not syncing email

Posted on 2016-11-10
13
43 Views
Last Modified: 2016-11-14
So I've recently isolated my guests to VLAN2 on my asa 5520. The dhcp's are being handed out and everything works great. I'm running into an issue though with 2 internally hosted servers that I want guest to still use. My web server and owa for email sync. The problem is that when a user hits www.myserver.com or owa.myserver.com it uses the public IP x.x.x.x (since they are using external dns and there is no internal dns for this guest subnet). That traffic doesn't flow out to the public and back in, since the vlan is already behind the public address block. On my main subnet it is fine since I have a dns server and just use a host a to redirect, but I don't want to use an intneral dns server for this traffic.

I'm sure it is just a route or nat issue, but here is what I need.

User on vlan2 int1.1 ip 192.168.168.11 >  hits public ip x.x.x.x > routes to int1 192.168.0.206

Normally I don't want vlan2 subnet 192.168.168.0 to see 192.168.0.0 at all, but I need it to see 2 servers for these services.
0
Comment
Question by:bhieb
  • 8
  • 5
13 Comments
 
LVL 6

Expert Comment

by:Rob Leaver
ID: 41882459
Sounds like a NAT issue, make sure you have the correct inside and outside interfaces configured correctly to ensure the external traffic can speak to your internal mail servers.

There is a great diagram showing the inside and outside interfaces, it will also help configure your devices appropriately. (you have to scroll down to "allowing the internet to access internal devices")

http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13772-12.html


--Rob
0
 

Author Comment

by:bhieb
ID: 41882463
Let me clarify, I already have all that working fine on the inside network 192.168.0.0. It is the new vlan that doesn't.
0
 

Author Comment

by:bhieb
ID: 41882486
And I think it is more than nat since the vlan doesn't see the lan that the internal server is on.  Here is the nat config for the email server.

object network HOST-ARMAIL
 nat (inside,outside) static x.x.x.x
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:bhieb
ID: 41882496
Just to furth diagram this out.

Guest A VLAN2
  • IP 192.168.168.11
  • Accesses owa.mydomain.com
  • DNS translates to x.x.x.x (public IP)
Access fails because the ASA sees that public ip and there is no way to route it in via the outside interface since it is already behind that interface.

Normal User
  • IP 192.168.0.11
  • Accesses owa.mydomain.com
  • DNS translates to 192.168.0.206 (private IP)
ASA isn't involved at all, access is fine.

External User
  • IP y.y.y.y (whatever IP they have)
  • Accesses owa.mydomain.com
  • DNS translates to x.x.x.x (public IP)
Traffic hits ASA and NAT sends to 192.168.0.206
0
 
LVL 6

Expert Comment

by:Rob Leaver
ID: 41882497
So just to clarify, as what you are saying doesn't make sense.

You want your traffic to route across your WAN ports?

EDIT (based on your last post)
Guest VLAN2 - Yes, using an external DNS wouldn't work because both networks are sat behind the same router.

The reason why it isn't working is because its sat behind the same router, you're trying to NAT internally which doesn't make sense. You will have to use an internal DNs server which has access to both VLAN's to resolve the address.
0
 

Author Comment

by:bhieb
ID: 41882517
If your guest VLAN and your native, or regular network vlan is behind the same router, why dont you just create a static route between your two networks...
Why I don't is why I'm here, I'm not sure how that would look :)
0
 
LVL 6

Accepted Solution

by:
Rob Leaver earned 500 total points
ID: 41882541
That part of my quote was edited out, after i read your 3rd post i then realised what you were trying to accompish. You need an internal DNS server to resolve the internal addreses. There is no way to route the traffic our and back in.

The only reason why static route may cause you problems is because that opens a route between both networks, pretty openly which is something i assume you're not going to want.

Having a DNS server provide name resolution internally, which has access to both vlans maybe a better solution.

And if you wanted to get really creative, you could setup your DNS server on another vlan, and have a router do inter-vlan routing through both networks. possibilities are endless.

If you want to go the static route option, you typically will do this on the router interfaces.

config t
ip route 192.168.0.0 255.255.255.0 192.168.168.0

and

then do repeat on return path, changing the IP address accordingly.
0
 

Author Comment

by:bhieb
ID: 41882567
Hmm. That is what I was afraid of looks like intra vlan traffic is all or nothing.  I've read about the below command, but then it allows all.

same-security-traffic permit intra-interface

The main reason I chose a vlan was to move DHCP (and dns) off of my MS server for license reasons. Most admins don't think about it, but if you have a MS server doing DHCP or DNS all those devices/users require CAL's. This essentially makes an open wifi impractical.  So requiring an internal DNS server (which in my case would be MS), would undo what I accomplished on DHCP.

I think I'll take the super easy way out, and create a secured SSID on the main lan for licensed users already covered under a CAL. Guest just won't have access to our web sites, but they don't need it anyway.
0
 
LVL 6

Expert Comment

by:Rob Leaver
ID: 41882631
What about using DNS on a router... that would prevent your CALs?
0
 

Author Comment

by:bhieb
ID: 41882879
Ultimately the lan has to have DNS for Active Directory to work, but I could just setup a DNS server for the VLAN subnet on a Linux box or router.  Then put the 2 host A records to route to the LAN subnet. I'd still need to figure out how to only allow that traffic. I think it is possible with a deny ACL. I'll probably open a smartnet ticket and just have cisco walk me through it.

This can't be that unusual of a configuration though, using a VLAN for guests wifi seems pretty normal. I guess most people just roll the dice on the licensing for dhcp/dns.

I'll hold this open another day to see if anyone else has any ideas if not I'll toss u the points.
0
 

Author Comment

by:bhieb
ID: 41882932
This may be the solution to the DNS issue. It involves using DNS rewrite on a static nat.

http://www.techrepublic.com/blog/data-center/cisco-asa-and-dns-pain-is-there-a-doctor-in-the-house/
0
 

Author Comment

by:bhieb
ID: 41882946
Here is the official cisco doc, they call it dns doctoring or you can use dns u-turning.
https://supportforums.cisco.com/document/145401/dns-doctoring-and-u-turning-asa-when-and-how-use-it
0
 
LVL 6

Expert Comment

by:Rob Leaver
ID: 41884438
Good to know! Thanks for sharing. Hopefully you got it to work?
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question