topic Re: Webmail not opening from inside IPs in Network Security

Webmail not opening from inside IPs

Shibu Sreedharan — Mon, 11 Mar 2019 18:55:21 GMT

Dear All,

We are unable to access webmail from inside ips using https://mail.companyname . but we can access same thing from outside internet.

We use IP from our pool public IP for PAT as well as this webmail natting.

Is there any way we can access webmail from inside ips

we have asa 8.2 (1)

Thanks

Re: Webmail not opening from inside IPs

Kureli Sankar — Sun, 17 Oct 2010 13:26:06 GMT

Shibu,

When you ping mail.company name from the inside hosts what do you get? The inside IP of webmail or outside IP of webmail?

Where is your DNS server?

Is this an internal DNS server?

Why doesn't it resolve to the inside IP of webmail?

On the browser issue http://inside_ip_address/exchange and see if it loads (I am assuming it is exchange).

If it does then pls. change the inside DNS server to hand out the inside IP address when computers want to resolve mail.company

-KS

Re: Webmail not opening from inside IPs

Shibu Sreedharan — Sun, 17 Oct 2010 15:24:31 GMT

Dear Kusankar,

Thanks for the reply.

Please find my answers.

When you ping mail.company name from the inside hosts what do you get? The inside IP of webmail or outside IP of webmail?

I get outside IP of webmail when i ping mail.company.net.

Where is your DNS server

In PCs we have local server as DNS server . in the DNS server we have given our ISP dns severs IP in forweded list.

Is this an internal DNS server?

In PCs we have local server as DNS server . in the DNS server we have given our ISP dns severs IP in forweded list.

Why doesn't it resolve to the inside IP of webmail?

On the browser issue http://inside_ip_address/exchange and see if it loads (I am assuming it is exchange).

If it does then pls. change the inside DNS server to hand out the inside IP address when computers want to resolve mail.company

How to do this DNS handout ?

Please find below some partial configuration of my ASA.

dns-guard

interface Ethernet0/0

nameif outside

security-level 0

ip address *.186 255.255.255.252

interface Ethernet0/1

nameif BACKUP

security-level 0

ip address *.202 255.255.255.248

interface Ethernet0/2

nameif INSIDE

security-level 100

ip address 10.10.10.10 255.255.255.0

access-list outside_access_in extended permit tcp any host 94.200.* eq https

global (outside) 1 interface

global (outside) 3 94.*

global (BROADCAST) 2 10.20.2.11-10.20.2.15 netmask 255.255.255.0

nat (INSIDE) 0 access-list INSIDE_nat0_outbound

nat (INSIDE) 2 access-list INSIDE_BROADCAST

nat (INSIDE) 3 access-list ROUTE_ADSL

nat (INSIDE) 1 0.0.0.0 0.0.0.0

static (INSIDE,outside) 94.* CASServer2 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 94.* 1 track 1

route BACKUP 0.0.0.0 0.0.0.0 94.* 254

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ftp

inspect esmtp

class class-default

flow-export event-type all destination 10.10.2.16 10.10.2.26

policy-map my-ips-policy

class my-ips-class

ips inline fail-open

Thanks

Re: Webmail not opening from inside IPs

Kureli Sankar — Sun, 17 Oct 2010 16:04:54 GMT

Who manages your inside DNS server? Is this Microsoft DNS server? It needs to be done there.

Create a zone file for your domain and add "A" records for all the sites that you host. Like

ftp.mycompany.com

mail.mycompany.com

www.mycompany.com

Make sure mail.mycompany.com >>>point to 10.10.10.x

-KS

Re: Webmail not opening from inside IPs

Maykol Rojas — Sun, 17 Oct 2010 16:19:34 GMT

Hello Shibu,

I hope you are doing great, this is a very common issue. You can use one of the following options:

1-Create a U turning config, say that the static for your server is

static (inside,outside) netmask 255.255.255.255

You can do another one as this

static (inside,inside) netmask 255.255.255.255

global (inside) 1 interface

same-security-traffic permit intra-interface

2-Change the IP address on the DNS server, say for the domain name for your Webmail instead of resolving to the public, resolve to the private. That will remain locally.

Any of those options can work for you, if you have any questions regarding any of these options let us know, we will be more than glad to help you.

Mike

Re: Webmail not opening from inside IPs

Shibu Sreedharan — Sun, 17 Oct 2010 17:17:05 GMT

Dear both ,

Thanks again for your kind help.

I tried the suggested first option but still i am unable to access webmail from inside

static (INSIDE,outside) 94.*.*. CASServer2 netmask 255.255.255.255
static (INSIDE,INSIDE) 94.*.*. CASServer2 netmask 255.255.255.255

global (inside) 1 interface

same-security-traffic permit intra-interface

Please help further to sort out this issue.

Thanks in advance

Re: Webmail not opening from inside IPs

Maykol Rojas — Sun, 17 Oct 2010 17:25:54 GMT

Hello Shibu,

Would you please paste the output of the following command?

packet-tracer input inside tcp 10.10.10.12 1025 443

Thanks!

Mike

Re: Webmail not opening from inside IPs

Shibu Sreedharan — Sun, 17 Oct 2010 17:51:17 GMT

Dear ,

Please find below the trace

ASA-5510-1# packet-tracer input INSIDE tcp 10.10.7.20 1025 94.X 443

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (INSIDE,INSIDE) 94.*.* CASServer2 netmask 255.255.255.255
match ip INSIDE host CASServer2 INSIDE any
static translation to 94.*.*
translate_hits = 0, untranslate_hits = 365
Additional Information:
NAT divert to egress interface INSIDE
Untranslate 94.*.*/0 to CASServer2/0 using netmask 255.255.255.255

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype:
Result: DROP
Config:
nat (INSIDE) 1 0.0.0.0 0.0.0.0
match ip INSIDE any INSIDE any
dynamic translation to pool 1 (No matching global)
translate_hits = 161, untranslate_hits = 0
Additional Information:

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ASA-5510-1#

Re: Webmail not opening from inside IPs

Shibu Sreedharan — Sun, 17 Oct 2010 17:56:29 GMT

Latest trace

========

ASA-5510-1# packet-tracer input INSIDE tcp 10.10.7.20 1025 94.* 443

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (INSIDE,INSIDE) 94.* CASServer2 netmask 255.255.255.255
match ip INSIDE host CASServer2 INSIDE any
static translation to 94.*
translate_hits = 0, untranslate_hits = 420
Additional Information:
NAT divert to egress interface INSIDE
Untranslate 94.*/0 to CASServer2/0 using netmask 255.255.255.255

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

ASA-5510-1#

Re: Webmail not opening from inside IPs

Maykol Rojas — Sun, 17 Oct 2010 17:59:21 GMT

Seems you are doing it well, for somehow the firewall is not seeing the global (INSIDE) 1 interface

nat (INSIDE) 1 0.0.0.0 0.0.0.0
match ip INSIDE any INSIDE any
dynamic translation to pool 1 (No matching global)

Would you please do a clear xlate and make sure that the global (INSIDE) 1 interface is in the configuration?

Mike

Re: Webmail not opening from inside IPs

Kureli Sankar — Sun, 17 Oct 2010 18:36:42 GMT

Shibu,

These U-Turn x-lates may cause issue later on and may become very hard to manage, troubleshoot and maintain. These are hacks that are used to get things working that are not configured as they should.

My suggestion would be to configure your inside DNS server properly so that it returns the private ip address for the name mail.company.com

-KS

Re: Webmail not opening from inside IPs

Shibu Sreedharan — Thu, 18 Nov 2010 22:26:10 GMT

Dear both,

thanks for your suggestions.

I tried both options and both are working fine for me. but as a security measure i have adopted internal DNS method.

Thanks