topic why can not browse web site which DNS server placed in outside in Network Security

why can not browse web site which DNS server placed in outside

martlee2 — Tue, 26 Mar 2019 00:56:10 GMT

i change to place DNS server which is the same VM of web server in outside of ASA

and expect to browse web site from inside, but failed

https://drive.google.com/file/d/0Bxs_ao6uuBDUUFFRNlpETTR1dGs/view?usp=sharing

https://drive.google.com/file/d/0Bxs_ao6uuBDUOXlVa3lMbC1UcUk/view?usp=sharing

ubuntu--192.168.1.2--Switch1 192.168.1.254--inside--192.168.1.7ASA115.0.0.15--outside--115.0.0.16 Router 10.0.0.1--10.0.0.7 web site

DNS 10.0.0.23

ASA

conf t
interface GigabitEthernet0
description INSIDE
nameif inside
security-level 100
ip address 192.168.1.7 255.255.255.0
no shutdown
end
conf t
interface GigabitEthernet1
description OUTSIDE
nameif outside
security-level 0
ip address 115.0.0.15 255.0.0.0
no shut
access-list acl_outside_new extended permit tcp any any eq www
access-group acl_outside_new in interface outside
end
conf t
object network Web_INSIDE
host 192.168.1.254
nat (inside,outside) static interface service tcp 80 80
end
conf t
object network DNS_INSIDE
host 192.168.1.254
nat (inside,outside) static 10.0.0.23 dns
end
conf t
route outside 0.0.0.0 0.0.0.0 115.0.0.16 1
end

3725 Switch1
conf t
hostname Switch1
vlan 5
int vlan 5
ip address 192.168.1.254 255.255.255.0
end
conf t
int fa1/1
switchport
switchport access vlan 5
switchport mode access
shut
no shut
int fa1/2
switchport
switchport access vlan 5
switchport mode access
shut
no shut
int fa1/3
switchport
switchport access vlan 5
switchport mode access
shut
no shut
end

verify:
packet-tracer input outside tcp 115.0.0.16 80 192.168.1.2 80 detailed
packet-tracer input inside tcp 192.168.1.2 80 115.0.0.16 80 detailed

packet-tracer input outside tcp 10.0.0.23 80 192.168.1.2 80 detailed
packet-tracer input inside tcp 192.168.1.2 80 10.0.0.23 80 detailed

Hi martlee2,You should put

andre.ortega — Thu, 28 May 2015 20:56:57 GMT

Hi martlee2,

You should put that ACL (acl_outside_new) on interface inside.

Also, I am not sure about what you are doing with these NATs.

If you want just to access the web server on outside, from inside, you may use something like this:

object network nat-MyLAN

subnet 192.168.1.7 255.255.255.0
nat (inside,outside) dynamic interface

Regards.

i have applied acl_outside

martlee2 — Fri, 29 May 2015 00:10:27 GMT

i have applied acl_outside_new on interface inside, but can not access the web server outside

not only access the web server, expect to access all kind of web in outside.

i change to use dynamic NAT with overload, still can not access the web outside from inside

after change:

conf t
interface GigabitEthernet0
description INSIDE
nameif inside
security-level 100
ip address 192.168.1.7 255.255.255.0
no shutdown
end
conf t
interface GigabitEthernet1
description OUTSIDE
nameif outside
security-level 0
ip address 115.0.0.15 255.0.0.0
no shut
access-list acl_outside_new extended permit tcp any any eq www
access-group acl_outside_new in interface inside
end
conf t
object network Web_INSIDE
host 192.168.1.254
nat (inside,outside) static interface service tcp 80 80
end
conf t
object network DNS_INSIDE
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface
end
conf t
route outside 0.0.0.0 0.0.0.0 115.0.0.16 1
end
conf t
http server enable
http 192.168.1.7 255.255.255.0 inside
end

Please,try to remove the NAT

andre.ortega — Fri, 29 May 2015 12:29:17 GMT

Please,

try to remove the NAT config from objetc Web_INSIDE.

conf tobject network WEB

martlee2 — Fri, 29 May 2015 18:59:29 GMT

https://drive.google.com/file/d/0Bxs_ao6uuBDUQVdFZ1VzeVJYXzg/view?usp=sharing

conf t
object network WEB_INSIDE
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface
end

a. if only have dynamic interface, i can see the web with 10.0.0.7/index.html

but after add static route for dns , it can not see www.xxx.com and can not see 10.0.0.7/index.html

b. second thing i do not understand is that why ubuntu need to add static route, when i ping outside router, it return no route, why

it can not use default route to find the way? if i use NAT, it can go to real world internet without return no route for every site. why simulation need to add static route?

sudo route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.1.254 dev eth0
sudo route add -net 115.0.0.0 netmask 255.0.0.0 gw 192.168.1.254 dev eth0

then i change 192.168.1.2 to 192.168.1.254 which is the device directly connected to ASA, it can

it can see 10.0.0.7/index.html now but can not see www.xxx.com and

conf t
object network DNS_INSIDE
host 192.168.1.2
nat (inside,outside) static 10.0.0.23 dns
end

conf t
object network DNS_INSIDE
host 192.168.1.254
nat (inside,outside) static 10.0.0.23 dns
end

ubuntu--192.168.1.2--Switch1 192.168.1.254--inside--192.168.1.7ASA115.0.0.15--outside--115.0.0.16 Router 10.0.0.1--10.0.0.7 web & DNS site (same VM)

DNS 10.0.0.23

sudo route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.1.254 dev eth0
sudo route add -net 115.0.0.0 netmask 255.0.0.0 gw 192.168.1.254 dev eth0

ASA

conf t
interface GigabitEthernet0
description INSIDE
nameif inside
security-level 100
ip address 192.168.1.7 255.255.255.0
no shutdown
end
conf t
interface GigabitEthernet1
description OUTSIDE
nameif outside
security-level 0
ip address 115.0.0.15 255.0.0.0
no shut
access-list acl_outside_new extended permit tcp any any eq www
access-group acl_outside_new in interface outside
end
conf t
object network WEB_INSIDE
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface
end
conf t
object network DNS_INSIDE
host 192.168.1.2
nat (inside,outside) static 10.0.0.23 dns
end
conf t
route outside 0.0.0.0 0.0.0.0 115.0.0.16 1
router eigrp 1
network 115.0.0.0 255.0.0.0
network 192.168.1.0 255.255.255.0
network 10.0.0.0 255.0.0.0
end

Router1
conf t
hostname Router1
ip routing
int fa0/0
ip address 115.0.0.16 255.0.0.0
shut
no shut
int fa0/1
ip address 10.0.0.1 255.0.0.0
shut
no shut
end
conf t
router eigrp 1
network 115.0.0.0 255.0.0.0
network 10.0.0.0 255.0.0.0
end
conf t
no ip name-server 10.0.0.7
ip name-server 10.0.0.23
end
conf t
line vty 0 4
password cisco
login
end

https://drive.google.com/file

martlee2 — Fri, 29 May 2015 19:32:53 GMT

https://drive.google.com/file/d/0Bxs_ao6uuBDUX0c4aTM1M2lqc2s/view?usp=sharing

actually no need

conf t
object network DNS_INSIDE
host 192.168.1.254
nat (inside,outside) static 10.0.0.23 dns
end

after using this static NAT, this will influence other connection such as telnet connection from inside to outside router

my lab notes want to demonstrate web server inside and DNS server outside,

but i am confused by its virtual ip 10.0.0.23 which is not using by any ports.

finally i use back the static ip address which is using by DNS server instead of virtual ip. i succeed to browse the web.

now i try tofollow the idea

martlee2 — Fri, 29 May 2015 22:49:52 GMT

now i try to

follow the idea of web site inside and DNS outside and let ubuntu browse the web from inside

but failed.

as i tried before , that dns static NAT will influence dynamic interface , i guess that no one in DMZ will browse real internet from inside to outside, i do not add dynamic interface to mix with static NAT

however, only static NAT dns, still failed, why?

https://drive.google.com/file/d/0Bxs_ao6uuBDUM2h6V2tuSHVqREk/view?usp=sharing

web site 192.168.1.120

ubuntu--192.168.1.2--Switch1 192.168.1.254--inside--192.168.1.7ASA10.0.0.9--outside--10.0.0.7 DNS site

DNS 10.0.0.23

sudo route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.1.254 dev eth0

sudo route add -net 115.0.0.0 netmask 255.0.0.0 gw 192.168.1.254 dev eth0

ASA

conf t

interface GigabitEthernet0

description INSIDE

nameif inside

security-level 50

ip address 192.168.1.7 255.255.255.0

no shutdown

end

conf t

interface GigabitEthernet1

description OUTSIDE

nameif outside

security-level 0

ip address 10.0.0.9 255.0.0.0

no shut

access-list acl_outside_new extended permit tcp any any eq www

access-group acl_outside_new in interface inside

end

conf t

object network DNS_INSIDE

host 192.168.1.254

nat (inside,outside) static 10.0.0.23 dns

end

conf t

route outside 0.0.0.0 0.0.0.0 10.0.0.7 1

router eigrp 1

network 192.168.1.0 255.255.255.0

network 10.0.0.0 255.0.0.0

end

3725 Switch1

conf t

hostname Switch1

vlan 5

int vlan 5

ip address 192.168.1.254 255.255.255.0

end

conf t

int fa1/1

switchport

switchport access vlan 5

switchport mode access

shut

no shut

int fa1/2

switchport

switchport access vlan 5

switchport mode access

shut

no shut

int fa1/3

switchport

switchport access vlan 5

switchport mode access

shut

no shut

end

conf t

line vty 0 4

password cisco

end

conf t

ip route 10.0.0.0 255.0.0.0 192.168.1.7

ip route 115.0.0.0 255.0.0.0 192.168.1.7

end