topic Re: Guest User can't access internal webserver on DMZ in Network Security

Guest User can't access internal webserver on DMZ

JakeYllus — Mon, 16 Jan 2023 23:47:34 GMT

Good Day All,

I'm a newbie with Cisco ASA , i have an issue after setting up a guest wifi for my organization.

Here the Topo
Internal user are on : 10.20.20.0/24 and Guest users are on : 192.168.1.0/24 , DMZ is : 10.30.30.0/24

Internal users use internal DNS and Guest users use google( 8.8.8.8) .

There is a nat ( dynamic PAT ) on the WAN interface of the ASA in place allowing internal users to surf the internet as well as the Guest users.

We have an internal webserver in the DMZ : 10.30.30.57

Internal users go directly to the www.thewebserver.ca got resolve to the internal IP and everything is good , my issue start when Guest users are trying to go to the same internal webserver ,then got resolve to the public IP and it does not display the page.

I read about DNS doctoring but as i said i'm not a pro with ASA , can someone help me with that plz.
I would appreciate .

Thank you

Access list are in place as well.

Re: Guest User can't access internal webserver on DMZ

JakeYllus — Mon, 16 Jan 2023 23:51:49 GMT

Forget to mention . I'm running version 9.16(4)

Re: Guest User can't access internal webserver on DMZ

JakeYllus — Mon, 16 Jan 2023 23:54:12 GMT

Four interface on the ASA : inside, outside, dmz, guest

Webserver public IP : 200.200.200.3 and private ip : 10.30.30.57

Re: Guest User can't access internal webserver on DMZ

Rob Ingram — Tue, 17 Jan 2023 08:13:34 GMT

@JakeYllus configure a NAT reflection rule, here is an example.

Re: Guest User can't access internal webserver on DMZ

Karsten Iwen — Tue, 17 Jan 2023 08:49:03 GMT

DNS doctoring is quite easy. Just add the "DNS" option to the NAT rule for the Web-server. The only restriction is that this Webserver-NAT rule has to be a static 1:1 NAT rule and not "only" a port forwarding.

Re: Guest User can't access internal webserver on DMZ

Marius Gunnerud — Tue, 17 Jan 2023 09:20:02 GMT

As it has been mentioned by others here, you need to configure DNS doctoring / re-write either by adding the DNS keyword at the end of the NAT statement for the relevant server or via ASDM selecting "Translate DNS replies that match this rule" under the relevant NAT rule.

Since this re-writes the DNS reply from the public IP to the private IP, you will also need to create an access rule for the guest users that allows access to the private IP of the webserver otherwise they will still not get access.

Re: Guest User can't access internal webserver on DMZ

JakeYllus — Wed, 18 Jan 2023 05:08:13 GMT

Hello @Karsten Iwen !
Thanks for your help , just for me to understand .
I have to add the DNS option to the NAT rule that allow the webserver to be accessible from the outside ?

As i said the server is on DMZ so i should look for a rule ( DMZ,OUTSIDE ) ??
Thanks in advance for you response.

Re: Guest User can't access internal webserver on DMZ

Karsten Iwen — Wed, 18 Jan 2023 07:14:08 GMT

Exactly. An Example:

Real IP of DMZ-Server: 172.16.1.80
public IP of DMZ-Server: 192.0.2.80, this is the DNS entry for www.company.com
a NAT entry (DMZ,outside) to translate these two IPs with the DNS option

A client on the inside (any internal network including guest) asks Google DNS for the IP of www.company.com
Google returns the IP 192.0.2.80
The ASA/FTD compares this DNS answer to the NAT entries and finds a translation for the public IP and the DNS option
The ASA/FTD changes the DNS answer from 192.0.2.80 to 172.16.1.80
the client learns that the server has 172.16.1.80 and does the web request.

Another restriction: The client has to use pure DNS, no DNScrypt, DoT, DoH or something.

Re: Guest User can't access internal webserver on DMZ

Marius Gunnerud — Wed, 18 Jan 2023 09:14:14 GMT

You should be looking for a NAT rule for Webserver public and webserver private IPs and add the DNS keyword to this one.

If you are having trouble identifying which rule it is, you can either post the NAT output here or you can create a "twice NAT" rule between the guest network and the webserver where you NAT the webserver public IP to its private IP and the maintain the guest network IP as original.

Re: Guest User can't access internal webserver on DMZ

JakeYllus — Thu, 19 Jan 2023 04:49:51 GMT

Thanks again @Marius Gunnerud
I tried to configure it but give me an error each time, maybe i'm doing it wrong.

How will it look on GUI ?

Thank you

Re: Guest User can't access internal webserver on DMZ

Marius Gunnerud — Thu, 19 Jan 2023 09:43:28 GMT

If you are looking to configure twice NAT it would look something like the following

Original Packet
source interface: Guest
Source address: 192.168.1.0/24

destination interface: dmz
destination address: 200.200.200.3

Translated Packet
Source NAT Type: Static
Source Address: 192.168.1.0/24

Destination address: 10.30.30.57

In addition to this you need to configure an access rule for Guest network to access 10.30.30.57

Re: Guest User can't access internal webserver on DMZ

JakeYllus — Mon, 23 Jan 2023 00:37:18 GMT

Hello @Marius Gunnerud

That worked beautifully 🙂
Thanks for your help .