topic thank u guys, i 've applied in Network Security

Guest wireless access trough firewall

Bekzod Fakhriddinov — Tue, 12 Mar 2019 06:30:06 GMT

Hi guys. I have like this diagram and guest users must be able to go to some of the internal servers like email, etc .

1 questions is - Must the guest users get it to email server (which is in internal network) only through Outside interface ?

right now I have opened specific ports and ip for access , but some security penetration test examiners don't like it and asked to allow guest access only trough outside... which I can't do cause guest users has internal DNS ip and if I change dns ip to external they go out trough the same Outside int and can't come back to internal network even when I have outside to inside nat rules. why i don't know...

2. why user from guest wirelss (with external dns ip configured) can't go trough Outside int back to Internal network ? How can I fix it ?

sorry my friends , I noticed today for destination NAT i still go from Guest wireless interface to Inside(where are my servers ) directly and guest ip translated to Inside ip--which doesn't re-solve security penetration test request .

For DNS doctor option - if I do ping/nslookup of my webmail address its replying with it's own internal ip which is not good . Is it possible to fix it ?

Will ASA dns doctoring work?

Josh Sprang — Wed, 26 Aug 2015 22:42:31 GMT

Will ASA dns doctoring work?

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html

I have to admit I am little confused in #1 with your pen testers... Do they think it is ok for folks on the outside to access the application but folks in wifi guest are not ok?

I have to admit I am little

Jon Marshall — Wed, 26 Aug 2015 22:52:52 GMT

I have to admit I am little confused in #1 with your pen testers... Do they think it is ok for folks on the outside to access the application but folks in wifi guest are not ok?

I totally agree.

As long as the guest interface is a lower security level than the inside interface I can't understand what they are talking about.

Unless they just want to class the guest access as external access and want to consolidate all access on the outside interface.

But then to do that you will need to add extra configuration that isn't necessarily intuitive to read and the simpler you can keep the configuration the better I would have thought.

Jon

Nice to know I'm not alone

Josh Sprang — Wed, 26 Aug 2015 23:13:59 GMT

Nice to know I'm not alone with things like that 🙂

let me know if DNS doctoring works

thank u guys, i 've applied

Bekzod Fakhriddinov — Thu, 27 Aug 2015 14:50:13 GMT

thank u guys, i 've applied destination nat and it works , now my guest has external dns ip and able to access trough public ip of our servers.

sorry my friend , I noticed

Bekzod Fakhriddinov — Fri, 28 Aug 2015 17:47:32 GMT

For DNS doctor option - if I do ping/nslookup of my webmail address its replying with it's own internal ip which is not good . Is it possible to fix it ?