Solved: Re: ASA 5510 Loopback configuration

derrick · ‎03-30-2010

Not sure if loopback is right term but here's the scenario:

Small Business with a 5510. External domain name

is domain.com, internal AD domain is domain.local. Mail is hosted internally with webmail having an external DNS (public name) of mail.domain.com

When users on the outside hit mail.domain.com, it's statically set to an internal mail server and everything works fine. When users are on the internal LAN or wireless, and they put in mail.domain.com it times out instead of going out to grab the external IP of the public DNS record and come back in. Internally they can acces the mail server using the private IP or NetBios name of the email server.

I have searched online and found articles suggesting a split dns. Setting an entry for mail.domain.com to point to private address on our internal DNS server. I tried this but we also have a website www.domain.com that is hosted outside our network on our ISP's servers. With that DNS entry in place our in house staff can not access our company's website.

How can I configure the ASA so that the traffic flow back correctly?

Our setup includes:

Windows 2003 Standard SP2 DNS server

Windows 2008 Enterprise SP2 Exchange 2007

CISCO ASA 5510

CISCO 870 ROUTER

CISCO CATALYST 2960

I guess I should also mention that everything worked fine with just a simple home brand router (no asa and just an unmanaged switch). But obviously that equipment wasn't practical for our setup.

mciszek · ‎04-03-2010

Derrick,

On your internal DNS create a zone for your external DNS "domain.com" Then just add any entries that you would like internal users to access, with the appropriate IP addresses. The only issue with this configuration is that if external records pointing to global IP addresses change you will have to manually make the change too. i.e. www (if hosted externally and moves to new provider) This should not be a big deal!

Host entries would work too, but that's lame!

If you do not want to maintain a copy of your external DNS records on your internal DNS, I suggest you carefully read the blog entry from Collin Clark’s post. and setup Bidirectional NAT.

You may also need to setup U-Turn (Hairpinning) same-security-traffic permit intra-interface depending on the placement of devices.

A diagram of your topology would be helpful! ASA config too! Be careful to sanitize it first!

I really like just adding the External zone to internal DNS, your setup sounds a lot like many of my customers. Keeping the ASA configuration simple might be a good idea unless your up for the challenge! Remember you have to maintain this not me, nor anyone else!

Hope this helps,

Mike

View solution in original post

Collin Clark · ‎03-30-2010

Check this document, it should help you out.

http://blogs.interfacett.com/mike-storm/2006/6/29/bidirectional-nat-on-a-cisco-pix-or-asa.html

Jennifer Halim · ‎03-30-2010

You can use the dns doctoring feature on the ASA.

On the static translation command for the mail server, just add the "dns" keyword at the end of the statement.

When internal user requests for dns resolution for the mail server from the external dns server, and the traffic goes through the ASA firewall, once the dns reply return back through the ASA, the ASA will modify the resolution from external ip address to its corresponding private ip address if the "dns" keyword is configured at the end of the mail server static translation.

Hope that helps.

derrick · ‎04-02-2010

Thanks for your response. But could you eloborate on how to do this? I have very little experience with the ASA and I am not totally sure how to do what you instructed.

Jennifer Halim · ‎04-02-2010

Sure, assuming that the following is the static statement for your webmail server:

static (inside,outside) public-ip private-ip netmask 255.255.255.255

You can remove the above and add the "dns" keyword as follows:

static (inside,outside) public-ip private-ip netmask 255.255.255.255 dns

Hope that helps.

derrick · ‎04-03-2010

This is what I used:

static (inside,outside) tcp interface https 192.168.1.11 https netmask 255.255.255.255 dns

but I'm still not able to access www.domain.com behind the firewall

Jennifer Halim · ‎04-03-2010

When the internal users try to access www.domain.com, does dns request go through the firewall? ie: are they using external dns server for dns resolution where the dns request and reply go through the firewall? If yes, then it should work.

If you are using internal dns server, or the dns request does not go through the firewall, then the "dns" keyword will not work.

derrick · ‎04-06-2010

Workstations are setup to use the internal DNS server and also an external DNS server hosted by our ISP. The mail.domain.com and www.domain.com are being resolved by the external DNS server. I have no entries on our DNS server that resolve those two urls.

mciszek · ‎04-03-2010

Derrick,

On your internal DNS create a zone for your external DNS "domain.com" Then just add any entries that you would like internal users to access, with the appropriate IP addresses. The only issue with this configuration is that if external records pointing to global IP addresses change you will have to manually make the change too. i.e. www (if hosted externally and moves to new provider) This should not be a big deal!

Host entries would work too, but that's lame!

If you do not want to maintain a copy of your external DNS records on your internal DNS, I suggest you carefully read the blog entry from Collin Clark’s post. and setup Bidirectional NAT.

You may also need to setup U-Turn (Hairpinning) same-security-traffic permit intra-interface depending on the placement of devices.

A diagram of your topology would be helpful! ASA config too! Be careful to sanitize it first!

I really like just adding the External zone to internal DNS, your setup sounds a lot like many of my customers. Keeping the ASA configuration simple might be a good idea unless your up for the challenge! Remember you have to maintain this not me, nor anyone else!

Hope this helps,

Mike

derrick · ‎04-06-2010

Mike,

Thanks for the response. I've tried setting up a domin.com zone on our internal DNS server. I'm able to access mail.domain.com internaly but not www.domain.com. I have an a record pointing www.domain.com to the public ip of the site but is there anything else I need to do to get this working? The way I setup the zone was by creating a new zone under "Forward Lookup Zones" the type of zone I used was "Primary zone". I attached what you requested with my reply. The zip file is password protected I will send you a private message with that password. Thanks again -Derrick

derrick · ‎04-06-2010

I guess I didn't wait long enough after making those changes to the DNS server. I came back from lunch and it's working fine now. Thanks again for the help.

mciszek · ‎04-06-2010

Derrick,

You could have done an "ipconfig /flushdns" on the workstations and ran the Mircosoft DNS management tool from a workstation or server, clicked on "View" then made sure the "Advanced" option was checked. Under the Cached Entries find your domain and delete any entries that may be invalid.

Glad you made this work!

Thanks,

Mike