ASA 5505 nat/access rules

dino.omerovic · ‎01-29-2013

Running on ASA Version 8.2(5) I have the config like this:

INTERNAL          192.168.0.0/24 vlan 1
GUEST              10.10.10.0/24 vlan 5
OUTSIDE            internet ip (95.97.88.229) vlan 3

internal network has own dns and DHCP server and hosts a exchange server on 192.168.0.21 outside ip address is 95.97.88.229 and works perfectly

guest newtwork is on a vlan so networks are seperated, ASA provides DHCP addresses and refers to an DNS server from an ISP. Dynamic NAT is configured to allow GUEST users to go to internet, that works OK. GUEST users should also be able to access OWA on the internal network on

192.168.0.21 ip address. This part does not work. Other users on the internet are able to connect to OWA so it works from the external networks.

There is only one dynamic nat rule on guest network that gives allmost all known protocols access to internet.

My problem is that client like 10.10.10.10 on guest-network cannot connect to 95.97.88.229(exchange owa) running on the internal network.

What is the right way to solve this? Could I somehow add an static nat rule from guest to internal for only that server ip and HTTPS or is my answer with DNS rewrite? I only want guest users to access the internet and OWA and not other parts of the internal network. As I understand dns rewrite is usefull for the same internal network and I have two seperated internal networks (guest and internal) so I am not shure this will work.

Andrew Phirsov · ‎01-29-2013

DNS-doctoring should do the trick. It doesn't matter wheter clients on the same network or different, like in your case.

dino.omerovic · ‎01-29-2013

Thx for your reply!

Just to make sure:

Do I enable DNS-doctoring "DNS-rewrite" on my static nat rule for my exchange server on the inside network?

I have 2 rules one for https and one for smtp, need to enable both?

static (inside,outside) tcp 95.97.88.229 smtp 192.168.0.21 smtp netmask 255.255.255.255

static (inside,outside) tcp 95.97.88.229 https 192.168.0.21 https netmask 255.255.255.255

Let me know please!

jj27 · ‎01-29-2013

As the above poster suggested, you can use DNS doctoring. Here's how to do it:

Just add the 'dns' keyword to the end of your HTTPS static NAT rule.

static (inside,outside) tcp 95.97.88.229 https 192.168.0.21 https netmask 255.255.255.255 dns

You will also need to turn on DNS inspection on the ASA for it to work.

policy-map type inspect dns MY_DNS_INSPECT_MAP
 parameters
  message-length maximum 512

policy-map global_policy
 class inspection_default

     inspect dns MY_DNS_INSPECT_MAP

Alternatively, you can use split DNS with your internal DNS server and set your guest network DNS server to your internal DNS server. Be sure to allow only DNS traffic through the firewall to those IPs.

dino.omerovic · ‎01-30-2013

I have tried your suggestion with no luck!

added dns keyword at the end of my static nat rule and I already had dns inspection on.

After that I tried one simple thing and that is working for me.

I created one static nat rule like this:

static (inside,GUEST) tcp 95.97.88.229 https 192.168.0.21 https netmask 255.255.255.255

and now its working.

As my guest network is on a 10.10.10.0/24 range I would like to know if it is an clean solution because I am introducing ip 95.97.88.229 to my guest network with my static nat rule?