bhieb
asked on
Guest VLAN not syncing email
So I've recently isolated my guests to VLAN2 on my asa 5520. The dhcp's are being handed out and everything works great. I'm running into an issue though with 2 internally hosted servers that I want guest to still use. My web server and owa for email sync. The problem is that when a user hits www.myserver.com or owa.myserver.com it uses the public IP x.x.x.x (since they are using external dns and there is no internal dns for this guest subnet). That traffic doesn't flow out to the public and back in, since the vlan is already behind the public address block. On my main subnet it is fine since I have a dns server and just use a host a to redirect, but I don't want to use an intneral dns server for this traffic.
I'm sure it is just a route or nat issue, but here is what I need.
User on vlan2 int1.1 ip 192.168.168.11 > hits public ip x.x.x.x > routes to int1 192.168.0.206
Normally I don't want vlan2 subnet 192.168.168.0 to see 192.168.0.0 at all, but I need it to see 2 servers for these services.
I'm sure it is just a route or nat issue, but here is what I need.
User on vlan2 int1.1 ip 192.168.168.11 > hits public ip x.x.x.x > routes to int1 192.168.0.206
Normally I don't want vlan2 subnet 192.168.168.0 to see 192.168.0.0 at all, but I need it to see 2 servers for these services.
ASKER
Let me clarify, I already have all that working fine on the inside network 192.168.0.0. It is the new vlan that doesn't.
ASKER
And I think it is more than nat since the vlan doesn't see the lan that the internal server is on. Here is the nat config for the email server.
object network HOST-ARMAIL
nat (inside,outside) static x.x.x.x
object network HOST-ARMAIL
nat (inside,outside) static x.x.x.x
ASKER
Just to furth diagram this out.
Guest A VLAN2
Normal User
External User
Guest A VLAN2
- IP 192.168.168.11
- Accesses owa.mydomain.com
- DNS translates to x.x.x.x (public IP)
Normal User
- IP 192.168.0.11
- Accesses owa.mydomain.com
- DNS translates to 192.168.0.206 (private IP)
External User
- IP y.y.y.y (whatever IP they have)
- Accesses owa.mydomain.com
- DNS translates to x.x.x.x (public IP)
So just to clarify, as what you are saying doesn't make sense.
You want your traffic to route across your WAN ports?
EDIT (based on your last post)
Guest VLAN2 - Yes, using an external DNS wouldn't work because both networks are sat behind the same router.
The reason why it isn't working is because its sat behind the same router, you're trying to NAT internally which doesn't make sense. You will have to use an internal DNs server which has access to both VLAN's to resolve the address.
You want your traffic to route across your WAN ports?
EDIT (based on your last post)
Guest VLAN2 - Yes, using an external DNS wouldn't work because both networks are sat behind the same router.
The reason why it isn't working is because its sat behind the same router, you're trying to NAT internally which doesn't make sense. You will have to use an internal DNs server which has access to both VLAN's to resolve the address.
ASKER
If your guest VLAN and your native, or regular network vlan is behind the same router, why dont you just create a static route between your two networks...Why I don't is why I'm here, I'm not sure how that would look :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hmm. That is what I was afraid of looks like intra vlan traffic is all or nothing. I've read about the below command, but then it allows all.
same-security-traffic permit intra-interface
The main reason I chose a vlan was to move DHCP (and dns) off of my MS server for license reasons. Most admins don't think about it, but if you have a MS server doing DHCP or DNS all those devices/users require CAL's. This essentially makes an open wifi impractical. So requiring an internal DNS server (which in my case would be MS), would undo what I accomplished on DHCP.
I think I'll take the super easy way out, and create a secured SSID on the main lan for licensed users already covered under a CAL. Guest just won't have access to our web sites, but they don't need it anyway.
same-security-traffic permit intra-interface
The main reason I chose a vlan was to move DHCP (and dns) off of my MS server for license reasons. Most admins don't think about it, but if you have a MS server doing DHCP or DNS all those devices/users require CAL's. This essentially makes an open wifi impractical. So requiring an internal DNS server (which in my case would be MS), would undo what I accomplished on DHCP.
I think I'll take the super easy way out, and create a secured SSID on the main lan for licensed users already covered under a CAL. Guest just won't have access to our web sites, but they don't need it anyway.
What about using DNS on a router... that would prevent your CALs?
ASKER
Ultimately the lan has to have DNS for Active Directory to work, but I could just setup a DNS server for the VLAN subnet on a Linux box or router. Then put the 2 host A records to route to the LAN subnet. I'd still need to figure out how to only allow that traffic. I think it is possible with a deny ACL. I'll probably open a smartnet ticket and just have cisco walk me through it.
This can't be that unusual of a configuration though, using a VLAN for guests wifi seems pretty normal. I guess most people just roll the dice on the licensing for dhcp/dns.
I'll hold this open another day to see if anyone else has any ideas if not I'll toss u the points.
This can't be that unusual of a configuration though, using a VLAN for guests wifi seems pretty normal. I guess most people just roll the dice on the licensing for dhcp/dns.
I'll hold this open another day to see if anyone else has any ideas if not I'll toss u the points.
ASKER
This may be the solution to the DNS issue. It involves using DNS rewrite on a static nat.
http://www.techrepublic.com/blog/data-center/cisco-asa-and-dns-pain-is-there-a-doctor-in-the-house/
http://www.techrepublic.com/blog/data-center/cisco-asa-and-dns-pain-is-there-a-doctor-in-the-house/
ASKER
Here is the official cisco doc, they call it dns doctoring or you can use dns u-turning.
https://supportforums.cisco.com/document/145401/dns-doctoring-and-u-turning-asa-when-and-how-use-it
https://supportforums.cisco.com/document/145401/dns-doctoring-and-u-turning-asa-when-and-how-use-it
Good to know! Thanks for sharing. Hopefully you got it to work?
There is a great diagram showing the inside and outside interfaces, it will also help configure your devices appropriately. (you have to scroll down to "allowing the internet to access internal devices")
http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13772-12.html
--Rob