Solved

Guest VLAN not syncing email

Posted on 2016-11-10
13
47 Views
Last Modified: 2016-11-14
So I've recently isolated my guests to VLAN2 on my asa 5520. The dhcp's are being handed out and everything works great. I'm running into an issue though with 2 internally hosted servers that I want guest to still use. My web server and owa for email sync. The problem is that when a user hits www.myserver.com or owa.myserver.com it uses the public IP x.x.x.x (since they are using external dns and there is no internal dns for this guest subnet). That traffic doesn't flow out to the public and back in, since the vlan is already behind the public address block. On my main subnet it is fine since I have a dns server and just use a host a to redirect, but I don't want to use an intneral dns server for this traffic.

I'm sure it is just a route or nat issue, but here is what I need.

User on vlan2 int1.1 ip 192.168.168.11 >  hits public ip x.x.x.x > routes to int1 192.168.0.206

Normally I don't want vlan2 subnet 192.168.168.0 to see 192.168.0.0 at all, but I need it to see 2 servers for these services.
0
Comment
Question by:bhieb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
13 Comments
 
LVL 6

Expert Comment

by:Rob Leaver
ID: 41882459
Sounds like a NAT issue, make sure you have the correct inside and outside interfaces configured correctly to ensure the external traffic can speak to your internal mail servers.

There is a great diagram showing the inside and outside interfaces, it will also help configure your devices appropriately. (you have to scroll down to "allowing the internet to access internal devices")

http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13772-12.html


--Rob
0
 

Author Comment

by:bhieb
ID: 41882463
Let me clarify, I already have all that working fine on the inside network 192.168.0.0. It is the new vlan that doesn't.
0
 

Author Comment

by:bhieb
ID: 41882486
And I think it is more than nat since the vlan doesn't see the lan that the internal server is on.  Here is the nat config for the email server.

object network HOST-ARMAIL
 nat (inside,outside) static x.x.x.x
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 

Author Comment

by:bhieb
ID: 41882496
Just to furth diagram this out.

Guest A VLAN2
  • IP 192.168.168.11
  • Accesses owa.mydomain.com
  • DNS translates to x.x.x.x (public IP)
Access fails because the ASA sees that public ip and there is no way to route it in via the outside interface since it is already behind that interface.

Normal User
  • IP 192.168.0.11
  • Accesses owa.mydomain.com
  • DNS translates to 192.168.0.206 (private IP)
ASA isn't involved at all, access is fine.

External User
  • IP y.y.y.y (whatever IP they have)
  • Accesses owa.mydomain.com
  • DNS translates to x.x.x.x (public IP)
Traffic hits ASA and NAT sends to 192.168.0.206
0
 
LVL 6

Expert Comment

by:Rob Leaver
ID: 41882497
So just to clarify, as what you are saying doesn't make sense.

You want your traffic to route across your WAN ports?

EDIT (based on your last post)
Guest VLAN2 - Yes, using an external DNS wouldn't work because both networks are sat behind the same router.

The reason why it isn't working is because its sat behind the same router, you're trying to NAT internally which doesn't make sense. You will have to use an internal DNs server which has access to both VLAN's to resolve the address.
0
 

Author Comment

by:bhieb
ID: 41882517
If your guest VLAN and your native, or regular network vlan is behind the same router, why dont you just create a static route between your two networks...
Why I don't is why I'm here, I'm not sure how that would look :)
0
 
LVL 6

Accepted Solution

by:
Rob Leaver earned 500 total points
ID: 41882541
That part of my quote was edited out, after i read your 3rd post i then realised what you were trying to accompish. You need an internal DNS server to resolve the internal addreses. There is no way to route the traffic our and back in.

The only reason why static route may cause you problems is because that opens a route between both networks, pretty openly which is something i assume you're not going to want.

Having a DNS server provide name resolution internally, which has access to both vlans maybe a better solution.

And if you wanted to get really creative, you could setup your DNS server on another vlan, and have a router do inter-vlan routing through both networks. possibilities are endless.

If you want to go the static route option, you typically will do this on the router interfaces.

config t
ip route 192.168.0.0 255.255.255.0 192.168.168.0

and

then do repeat on return path, changing the IP address accordingly.
0
 

Author Comment

by:bhieb
ID: 41882567
Hmm. That is what I was afraid of looks like intra vlan traffic is all or nothing.  I've read about the below command, but then it allows all.

same-security-traffic permit intra-interface

The main reason I chose a vlan was to move DHCP (and dns) off of my MS server for license reasons. Most admins don't think about it, but if you have a MS server doing DHCP or DNS all those devices/users require CAL's. This essentially makes an open wifi impractical.  So requiring an internal DNS server (which in my case would be MS), would undo what I accomplished on DHCP.

I think I'll take the super easy way out, and create a secured SSID on the main lan for licensed users already covered under a CAL. Guest just won't have access to our web sites, but they don't need it anyway.
0
 
LVL 6

Expert Comment

by:Rob Leaver
ID: 41882631
What about using DNS on a router... that would prevent your CALs?
0
 

Author Comment

by:bhieb
ID: 41882879
Ultimately the lan has to have DNS for Active Directory to work, but I could just setup a DNS server for the VLAN subnet on a Linux box or router.  Then put the 2 host A records to route to the LAN subnet. I'd still need to figure out how to only allow that traffic. I think it is possible with a deny ACL. I'll probably open a smartnet ticket and just have cisco walk me through it.

This can't be that unusual of a configuration though, using a VLAN for guests wifi seems pretty normal. I guess most people just roll the dice on the licensing for dhcp/dns.

I'll hold this open another day to see if anyone else has any ideas if not I'll toss u the points.
0
 

Author Comment

by:bhieb
ID: 41882932
This may be the solution to the DNS issue. It involves using DNS rewrite on a static nat.

http://www.techrepublic.com/blog/data-center/cisco-asa-and-dns-pain-is-there-a-doctor-in-the-house/
0
 

Author Comment

by:bhieb
ID: 41882946
Here is the official cisco doc, they call it dns doctoring or you can use dns u-turning.
https://supportforums.cisco.com/document/145401/dns-doctoring-and-u-turning-asa-when-and-how-use-it
0
 
LVL 6

Expert Comment

by:Rob Leaver
ID: 41884438
Good to know! Thanks for sharing. Hopefully you got it to work?
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question