01-25-2013 08:37 AM - edited 03-11-2019 05:52 PM
Hello,
I’m working with a network that has been setup with a wireless interface for wifi, an inside interface for a staff lan and of course the outside interface.
There is a webserver hosting a website on the inside of the staff network/subnet.
For the sake of argument:
Staff’s subnet is using: 192.168.1.0
Wireless is using: 10.16.0.0.
The website is hosted on a static IP on the 192.168.1.10 and is NAT’d out as X.X.X.10.
Wireless users are using an external DNS server and when they try and connect to the site’s website on the, public address, X.X.X.10 IP it fails. Everyone outside of the building can access the site fine. Everyone on the Staff Lan are also fine, thanks to a local DNS server and being able to directly access 192.168.1.10; however if they hit the X.X.X10, it also fails or doesnt rewrite. Access Rules are in place for HTTP/HTTPS etc for the webserver. There are no extra rules allowing the wireless users on the 10.16.0.0 network to access the server specificially though. I’m wondering if that’s the key issue with the setup. I’ve ran a packet trace from the wireless network pointing to the webserver and each way I run it, it says Config Implicit Rule. I just wonder if it needs to be setup on a different interface. I’ve only have 2 rules for the inside and two rules for the wireless; the typical any ip any and any ip deny rules. Everything else is configured on the Outside Interface for access to different servers etc.
Its setup like this (Excuse my text diagram):
{Internet }-----------Firewall-------- Staff Lan: 192.168.1.0 (Inside interface; Webserver resides on this Subnet)
|
|
Wireless Lan(Wireless Interface)
10.16.0.0
ASA Version 8.0(5)
Security levels of Inside and Wireless interfaces are set to 100.
I have enabled DNS Rewrite on the NAT.
static (inside,outside) X.X.X.10 obj-192.168.1.10 netmask 255.255.255.255 dns
And the Inspection Policiy looks like this:
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
Perhaps there are just more pieces to the puzzle and not everything is in place for the DNS Rewrite to even work.
Any help, or pointing me in the right direction etc, would be very appreciated.
Thank you,
Mike
01-25-2013 01:06 PM
Hi,
To my understanding the DNS rewrite should work as you have the "dns" parameter for the server Static NAT towards outside and also have the "inspect dns" enabled. DNS rewrite should work for hosts that do DNS query to a server thats on the public network. In other words when the users on the wifi ask a public DNS server for the public IP address of the server the ASA should rewrite the public IP address to the private IP address before the DNS reply reaches the wifi host.
I dont see a reason why the "packet-tracer" would fail. On the other hand if you are using the public NAT IP address as the destination IP address it probably doesnt show correctly and you cant really test the DNS rewrite thing with the "packet-tracer"
If you want to really check whats happening with regards to the DNS operation I would suggest configuring a packet capture on the ASA for the DNS traffic on the wifi interfaces and see if the ASA actually changes the DNS replies before they reach the host doing the DNS query
If you could share the configurations (except for possible sensitive information) and the "packet-tracer" commands and output with us we could go through those and see if there is any problems there. I can also help you with the packet capture configurations if needed.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide