topic Re: Problem Accessing Web Server on DMZ from Internal Network in Network Security

Problem Accessing Web Server on DMZ from Internal Network

patelparth3 — Fri, 04 Oct 2019 21:11:35 GMT

DMZ                                 Internal Network
192.168.0.0   -------Firewall-------192.168.1.0
255.255.255.0           |           255.255.255.0
                        |
                        |
                     Internet
                     204.0.0.3

Web Server: 192.168.0.11 - NAT 204.0.0.11
Internal Net Accessing Internet: 192.168.1.0 - NAT 204.0.0.3

Firewall: ASA ver 7.0

Ok, I'm having an odd problem. I have setup a web server on our DMZ with a private IP address. The firewall is ARPing for the address 204.0.0.11 and forwarding it to the private address on the DMZ. This works fine when accessing from anywhere on the Internet. The problem I am having is that people on the Internal network can't get to the website. They can get to anywhere else on the Internet. I can't figure out what is happening. The Internal requests should go out the external interface of the firewall, get NAT'ed to a real IP address, then try and access the real IP of the website, and come back through, just like accessing any other website out there on the Internet. I see the request going through the firewall, but nothing ever seems to come back to the client.

I don't want the Internal network to have direct access to the DMZ. Am I doing this wrong?

* All IP addresses have been changed to protect the innocent.

Re: Problem Accessing Web Server on DMZ from Internal Network

bhargavdesai — Sat, 05 Oct 2019 05:08:55 GMT

You require U turn/Hairpin NAT or DNS Doctoring (If supported by your version)
Few references
https://community.cisco.com/t5/security-documents/dns-doctoring-and-u-turning-on-the-asa-quot-when-and-how-to-use/ta-p/3153693

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-firewalls/1150-cisco-asa-firewall-nat-reflection-loopback-hairpinning-configuration.html

HTH
### RATE ALL HELPFUL RESPONSES ###

Re: Problem Accessing Web Server on DMZ from Internal Network

Marius Gunnerud — Sat, 05 Oct 2019 07:26:45 GMT

Hairpinning is not required here unless DNS and internal networks are hanging off the same physical interface. But DNS rewrite (aka DNS doctoring) is where to start, but for this to work DNS server needs to be located off a different firewall interface than the internal network. This is done by adding the DNS keyword at the end of the NAT statement for the web server.

If this does not work, please provide a full running configuration of your ASA (remove any public IPs, usernames and passwords). Also, provide the model of ASA you are running.

Re: Problem Accessing Web Server on DMZ from Internal Network

Deepak Kumar — Sat, 05 Oct 2019 07:35:40 GMT

Hi,

This is not current configuration but it is required some extra configuration as Hairpin NAT or uses an internal DNS server to redirect your traffic to the web server using the internal IP address only.

DNS Setup Maybe likes:

DNS name: www.xyz.com and Host IP: 192.168.0.X

DNS Name: xyz.com and Host IP: 192.168.0.x

Hairpin Solution Maybe like:

https://networklessons.com/cisco/asa-firewall/cisco-asa-hairpin-internal-server

https://www.petenetlive.com/KB/Article/0000040

Re: Problem Accessing Web Server on DMZ from Internal Network

patelparth3 — Mon, 14 Oct 2019 20:07:46 GMT

Here is the configuration -

!
interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address 204.0.0.3 255.255.255.0
!
interface Ethernet0/1
nameif INSIDE
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 192.168.0.1 255.255.255.0
!
access-list OUTSIDE_IN extended permit tcp any host 204.0.0.11 eq www

icmp deny any OUTSIDE

global (OUTSIDE) 100 interface
global (OUTSIDE) 110 204.0.0.11

nat (INSIDE) 100 192.168.1.0 255.255.255.0
nat (DMZ) 110 192.168.0.0 255.255.255.0

static (DMZ,ISP) tcp 204.0.0.11 www 192.168.0.10 www netmask 255.255.255.255

access-group OUTSIDE_IN in interface ISP

route ISP 0.0.0.0 0.0.0.0 204.0.0.2 1

Please let me know what I need to configure to reach my goal.

Re: Problem Accessing Web Server on DMZ from Internal Network

Marius Gunnerud — Mon, 14 Oct 2019 21:14:57 GMT

you just need to add "dns" to the end of the NAT statment. If this doesnt work, you will need to explain more about your network, in particular where you have your DNS server.

static (DMZ,ISP) tcp 204.0.0.11 www 192.168.0.10 www netmask 255.255.255.255 dns

Would recommend upgrading your ASA software as the version you are running is end of support at the end of this month.

Re: Problem Accessing Web Server on DMZ from Internal Network

patelparth3 — Mon, 14 Oct 2019 22:00:05 GMT

-> My DNS server is outside of the network. I am using ISP's DNS server.

-> Do you I need to configure ACL from DMZ to INSIDE ?

Re: Problem Accessing Web Server on DMZ from Internal Network

Marius Gunnerud — Mon, 14 Oct 2019 22:33:52 GMT

No ACL is needed.

Re: Problem Accessing Web Server on DMZ from Internal Network

patelparth3 — Sat, 19 Oct 2019 22:59:41 GMT

Do I need to enable DNS inspection on ASA. According to my network topology/scenario, I am not able to go to web server. Web server can be accessed from outside world but not from ASA's inside to DMZ.

Please help.

Re: Problem Accessing Web Server on DMZ from Internal Network

Marius Gunnerud — Sat, 19 Oct 2019 23:42:34 GMT

No you do not need DNS inspection, besides DNS inspection should be enabled by default unless you have cleared all the config and configured from scratch.

most likely your DNS resolution on the inside network returns the public IP of your web server. If this is the case, then the solution provided in this post is the correct solution. However, if you are restriction access with an ACL on the inside interface you need to allow traffic to the private IP of the web server.

A different option would be to configure twice NAT and NAT the destination public IP to the private IP of the web server. Same as with using the DNS keyword, if you use an access list on the inside interface you will need to allow this traffic in that ACL also.