Cannot access a website, from one interface, that is hosted behind a different interface; on same ap...

Michael Vela · ‎01-25-2013

Hello,

I’m working with a network that has been setup with a wireless interface for wifi, an inside interface for a staff lan and of course the outside interface.

There is a webserver hosting a website on the inside of the staff network/subnet.

For the sake of argument:

Staff’s subnet is using: 192.168.1.0

Wireless is using: 10.16.0.0.

The website is hosted on a static IP on the 192.168.1.10 and is NAT’d out as X.X.X.10.

Wireless users are using an external DNS server and when they try and connect to the site’s website on the, public address, X.X.X.10 IP it fails. Everyone outside of the building can access the site fine. Everyone on the Staff Lan are also fine, thanks to a local DNS server and being able to directly access 192.168.1.10; however if they hit the X.X.X10, it also fails or doesnt rewrite. Access Rules are in place for HTTP/HTTPS etc for the webserver. There are no extra rules allowing the wireless users on the 10.16.0.0 network to access the server specificially though. I’m wondering if that’s the key issue with the setup. I’ve ran a packet trace from the wireless network pointing to the webserver and each way I run it, it says Config Implicit Rule. I just wonder if it needs to be setup on a different interface. I’ve only have 2 rules for the inside and two rules for the wireless; the typical any ip any and any ip deny rules. Everything else is configured on the Outside Interface for access to different servers etc.

Its setup like this (Excuse my text diagram):

{Internet }-----------Firewall-------- Staff Lan: 192.168.1.0 (Inside interface; Webserver resides on this Subnet)

|

Wireless Lan(Wireless Interface)

10.16.0.0

ASA Version 8.0(5)

Security levels of Inside and Wireless interfaces are set to 100.

I have enabled DNS Rewrite on the NAT.

static (inside,outside) X.X.X.10 obj-192.168.1.10 netmask 255.255.255.255 dns

And the Inspection Policiy looks like this:

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

Perhaps there are just more pieces to the puzzle and not everything is in place for the DNS Rewrite to even work.

Any help, or pointing me in the right direction etc, would be very appreciated.

Thank you,

Mike

Jouni Forss · ‎01-25-2013

Hi,

To my understanding the DNS rewrite should work as you have the "dns" parameter for the server Static NAT towards outside and also have the "inspect dns" enabled. DNS rewrite should work for hosts that do DNS query to a server thats on the public network. In other words when the users on the wifi ask a public DNS server for the public IP address of the server the ASA should rewrite the public IP address to the private IP address before the DNS reply reaches the wifi host.

I dont see a reason why the "packet-tracer" would fail. On the other hand if you are using the public NAT IP address as the destination IP address it probably doesnt show correctly and you cant really test the DNS rewrite thing with the "packet-tracer"

If you want to really check whats happening with regards to the DNS operation I would suggest configuring a packet capture on the ASA for the DNS traffic on the wifi interfaces and see if the ASA actually changes the DNS replies before they reach the host doing the DNS query

If you could share the configurations (except for possible sensitive information) and the "packet-tracer" commands and output with us we could go through those and see if there is any problems there. I can also help you with the packet capture configurations if needed.

- Jouni

Cannot access a website, from one interface, that is hosted behind a different interface; on same appliance