Re: Access to internal servers using public IP address

Phill Hodges · ‎12-16-2013

I have an ASA5540 on 8.2(5) and I am setting up a Guest Wireless network that is on the same interface as our corporate user network, but is completely segregated and uses Google Public DNS (8.8.8.8). I have this all set up, but the only thing I can't get is users on this network can not access our external facing DMZ web servers.

1) I have attempted to use DNS doctoring:

static (dmz,outside) external_ip internal_ip netmask 255.255.255.255 dns

(the rule was already in place, I just checked the dns box)

and when I do an nslookup, it does resolve the internal ip but the page wont load. If I type the internal IP into a browser, the page loads (I set up a rule to allow access from the guest network to the dmz network).

2) I wrote 1:1 static nat rules going the other way:

static (outside,dmz) internal_ip external_ip netmask 255.255.255.255

and pages still could not load.

From what I have read, either of these solutions should work, but neither of them do. What am I missing from this setup?

Jon Are Endrerud · ‎12-16-2013

If the clients use 8.8.8.8 wich is the google dns, they will not reach your dmz server because the dns record at google will point to the outside address of your web server, not the inside address.

I assume this is your problem if the clients are assigned the google dns.

You can check this by pinging your web server address when you have a guest ip.

Sent from Cisco Technical Support iPhone App

Please rate as helpful, if that would be the case. Thanx

Phill Hodges · ‎12-16-2013

Jon Are Endrerud wrote:

If the clients use 8.8.8.8 wich is the google dns, they will not reach your dmz server because the dns record at google will point to the outside address of your web server, not the inside address.

The DMZ servers are NAT'd to external addresses. All Internet users can reach the servers with the public IP addresses, just not the users on this guest network.

Jon Are Endrerud · ‎12-17-2013

That is what im saying, you need the dns name to point to the inside address of the server, not the outside address. The traffic from the the guest network will not be routed back to the outside ASA.

Give the guest users access to your internal dns with udp/53 access. Use that instead of google. Then be sure to have a record pointing to the inside address of your web server.

Sent from Cisco Technical Support iPhone App

Please rate as helpful, if that would be the case. Thanx

Phill Hodges · ‎12-17-2013

The traffic from the the guest network will not be routed back to the outside ASA.

Why not? This is exactly what I want to happen.

Give the guest users access to your internal dns with udp/53 access.

This is not a good solution. I'd really prefer the public to not have access to my Internal DNS.

Phill Hodges · ‎12-17-2013

I contacted Cisco Support and they helped me with this.

First, I needed to create a static NAT rule on the internal interface to DMZ for the Guest network:

static (internal,dmz) WiFi-Guest WiFi-Guest netmask 255.255.255.0

After that, I could add in another static NAT rule for my DMZ servers on the internal interface in addition the the existing rules on the external. i.e.

static (dmz,internal) external_ip internal_ip netmask 255.255.255.255

Once both of those were complete, the pages could load from the DMZ, but not from the rest of the Internal network

Jon Are Endrerud · ‎12-17-2013

Ok, good luck.

Sent from Cisco Technical Support iPhone App

Please rate as helpful, if that would be the case. Thanx