Solved

Guest VLAN not syncing email

Posted on 2016-11-10
13
19 Views
Last Modified: 2016-11-14
So I've recently isolated my guests to VLAN2 on my asa 5520. The dhcp's are being handed out and everything works great. I'm running into an issue though with 2 internally hosted servers that I want guest to still use. My web server and owa for email sync. The problem is that when a user hits www.myserver.com or owa.myserver.com it uses the public IP x.x.x.x (since they are using external dns and there is no internal dns for this guest subnet). That traffic doesn't flow out to the public and back in, since the vlan is already behind the public address block. On my main subnet it is fine since I have a dns server and just use a host a to redirect, but I don't want to use an intneral dns server for this traffic.

I'm sure it is just a route or nat issue, but here is what I need.

User on vlan2 int1.1 ip 192.168.168.11 >  hits public ip x.x.x.x > routes to int1 192.168.0.206

Normally I don't want vlan2 subnet 192.168.168.0 to see 192.168.0.0 at all, but I need it to see 2 servers for these services.
0
Comment
Question by:bhieb
  • 8
  • 5
13 Comments
 
LVL 6

Expert Comment

by:Rob Leaver
ID: 41882459
Sounds like a NAT issue, make sure you have the correct inside and outside interfaces configured correctly to ensure the external traffic can speak to your internal mail servers.

There is a great diagram showing the inside and outside interfaces, it will also help configure your devices appropriately. (you have to scroll down to "allowing the internet to access internal devices")

http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13772-12.html


--Rob
0
 

Author Comment

by:bhieb
ID: 41882463
Let me clarify, I already have all that working fine on the inside network 192.168.0.0. It is the new vlan that doesn't.
0
 

Author Comment

by:bhieb
ID: 41882486
And I think it is more than nat since the vlan doesn't see the lan that the internal server is on.  Here is the nat config for the email server.

object network HOST-ARMAIL
 nat (inside,outside) static x.x.x.x
0
 

Author Comment

by:bhieb
ID: 41882496
Just to furth diagram this out.

Guest A VLAN2
  • IP 192.168.168.11
  • Accesses owa.mydomain.com
  • DNS translates to x.x.x.x (public IP)
Access fails because the ASA sees that public ip and there is no way to route it in via the outside interface since it is already behind that interface.

Normal User
  • IP 192.168.0.11
  • Accesses owa.mydomain.com
  • DNS translates to 192.168.0.206 (private IP)
ASA isn't involved at all, access is fine.

External User
  • IP y.y.y.y (whatever IP they have)
  • Accesses owa.mydomain.com
  • DNS translates to x.x.x.x (public IP)
Traffic hits ASA and NAT sends to 192.168.0.206
0
 
LVL 6

Expert Comment

by:Rob Leaver
ID: 41882497
So just to clarify, as what you are saying doesn't make sense.

You want your traffic to route across your WAN ports?

EDIT (based on your last post)
Guest VLAN2 - Yes, using an external DNS wouldn't work because both networks are sat behind the same router.

The reason why it isn't working is because its sat behind the same router, you're trying to NAT internally which doesn't make sense. You will have to use an internal DNs server which has access to both VLAN's to resolve the address.
0
 

Author Comment

by:bhieb
ID: 41882517
If your guest VLAN and your native, or regular network vlan is behind the same router, why dont you just create a static route between your two networks...
Why I don't is why I'm here, I'm not sure how that would look :)
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 6

Accepted Solution

by:
Rob Leaver earned 500 total points
ID: 41882541
That part of my quote was edited out, after i read your 3rd post i then realised what you were trying to accompish. You need an internal DNS server to resolve the internal addreses. There is no way to route the traffic our and back in.

The only reason why static route may cause you problems is because that opens a route between both networks, pretty openly which is something i assume you're not going to want.

Having a DNS server provide name resolution internally, which has access to both vlans maybe a better solution.

And if you wanted to get really creative, you could setup your DNS server on another vlan, and have a router do inter-vlan routing through both networks. possibilities are endless.

If you want to go the static route option, you typically will do this on the router interfaces.

config t
ip route 192.168.0.0 255.255.255.0 192.168.168.0

and

then do repeat on return path, changing the IP address accordingly.
0
 

Author Comment

by:bhieb
ID: 41882567
Hmm. That is what I was afraid of looks like intra vlan traffic is all or nothing.  I've read about the below command, but then it allows all.

same-security-traffic permit intra-interface

The main reason I chose a vlan was to move DHCP (and dns) off of my MS server for license reasons. Most admins don't think about it, but if you have a MS server doing DHCP or DNS all those devices/users require CAL's. This essentially makes an open wifi impractical.  So requiring an internal DNS server (which in my case would be MS), would undo what I accomplished on DHCP.

I think I'll take the super easy way out, and create a secured SSID on the main lan for licensed users already covered under a CAL. Guest just won't have access to our web sites, but they don't need it anyway.
0
 
LVL 6

Expert Comment

by:Rob Leaver
ID: 41882631
What about using DNS on a router... that would prevent your CALs?
0
 

Author Comment

by:bhieb
ID: 41882879
Ultimately the lan has to have DNS for Active Directory to work, but I could just setup a DNS server for the VLAN subnet on a Linux box or router.  Then put the 2 host A records to route to the LAN subnet. I'd still need to figure out how to only allow that traffic. I think it is possible with a deny ACL. I'll probably open a smartnet ticket and just have cisco walk me through it.

This can't be that unusual of a configuration though, using a VLAN for guests wifi seems pretty normal. I guess most people just roll the dice on the licensing for dhcp/dns.

I'll hold this open another day to see if anyone else has any ideas if not I'll toss u the points.
0
 

Author Comment

by:bhieb
ID: 41882932
This may be the solution to the DNS issue. It involves using DNS rewrite on a static nat.

http://www.techrepublic.com/blog/data-center/cisco-asa-and-dns-pain-is-there-a-doctor-in-the-house/
0
 

Author Comment

by:bhieb
ID: 41882946
Here is the official cisco doc, they call it dns doctoring or you can use dns u-turning.
https://supportforums.cisco.com/document/145401/dns-doctoring-and-u-turning-asa-when-and-how-use-it
0
 
LVL 6

Expert Comment

by:Rob Leaver
ID: 41884438
Good to know! Thanks for sharing. Hopefully you got it to work?
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video discusses moving either the default database or any database to a new volume.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now