01-29-2013 04:16 AM - edited 03-11-2019 05:53 PM
Running on ASA Version 8.2(5) I have the config like this:
INTERNAL 192.168.0.0/24 vlan 1
GUEST 10.10.10.0/24 vlan 5
OUTSIDE internet ip (95.97.88.229) vlan 3
internal network has own dns and DHCP server and hosts a exchange server on 192.168.0.21 outside ip address is 95.97.88.229 and works perfectly
guest newtwork is on a vlan so networks are seperated, ASA provides DHCP addresses and refers to an DNS server from an ISP. Dynamic NAT is configured to allow GUEST users to go to internet, that works OK. GUEST users should also be able to access OWA on the internal network on
192.168.0.21 ip address. This part does not work. Other users on the internet are able to connect to OWA so it works from the external networks.
There is only one dynamic nat rule on guest network that gives allmost all known protocols access to internet.
My problem is that client like 10.10.10.10 on guest-network cannot connect to 95.97.88.229(exchange owa) running on the internal network.
What is the right way to solve this? Could I somehow add an static nat rule from guest to internal for only that server ip and HTTPS or is my answer with DNS rewrite? I only want guest users to access the internet and OWA and not other parts of the internal network. As I understand dns rewrite is usefull for the same internal network and I have two seperated internal networks (guest and internal) so I am not shure this will work.
01-29-2013 06:09 AM
DNS-doctoring should do the trick. It doesn't matter wheter clients on the same network or different, like in your case.
01-29-2013 06:41 AM
Thx for your reply!
Just to make sure:
Do I enable DNS-doctoring "DNS-rewrite" on my static nat rule for my exchange server on the inside network?
I have 2 rules one for https and one for smtp, need to enable both?
static (inside,outside) tcp 95.97.88.229 smtp 192.168.0.21 smtp netmask 255.255.255.255
static (inside,outside) tcp 95.97.88.229 https 192.168.0.21 https netmask 255.255.255.255
Let me know please!
01-29-2013 08:41 AM
As the above poster suggested, you can use DNS doctoring. Here's how to do it:
Just add the 'dns' keyword to the end of your HTTPS static NAT rule.
static (inside,outside) tcp 95.97.88.229 https 192.168.0.21 https netmask 255.255.255.255 dns
You will also need to turn on DNS inspection on the ASA for it to work.
policy-map type inspect dns MY_DNS_INSPECT_MAP
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns MY_DNS_INSPECT_MAP
Alternatively, you can use split DNS with your internal DNS server and set your guest network DNS server to your internal DNS server. Be sure to allow only DNS traffic through the firewall to those IPs.
01-30-2013 03:16 AM
I have tried your suggestion with no luck!
added dns keyword at the end of my static nat rule and I already had dns inspection on.
After that I tried one simple thing and that is working for me.
I created one static nat rule like this:
static (inside,GUEST) tcp 95.97.88.229 https 192.168.0.21 https netmask 255.255.255.255
and now its working.
As my guest network is on a 10.10.10.0/24 range I would like to know if it is an clean solution because I am introducing ip 95.97.88.229 to my guest network with my static nat rule?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide