11-05-2013 04:01 AM - edited 03-11-2019 08:00 PM
Hey guys,
As a follow up to my previous question:
https://supportforums.cisco.com/message/4077187#4077187
The static nat entry there was used to rewrite DNS request to the outside interface to the internal gateway address which was then PAT-ed to the internal network
Basically I have 3 networks, inside, outside and wireless, and when a client on the wireless network tries to access the mailserver by it's external domain name it resolves to the external ip. What it should do is either resolve to the gateway adress which I can PAT to the internal network or hairpin back on the outside interface address.
I have so far tried to static translate the outside interface to the gateway address which worked, but as a side-effect caused connections directly to the webvpn on the firewall to get un-natted to the wireless network.
Is there a proper way to get this running without using a seperate dns server on the wireless network?
Thanks for reading my question and taking the time think about it!
John
Solved! Go to Solution.
11-05-2013 04:51 AM
Hi,
So if I understood correctly from your previous discussion and the above information then you want to the users behind "wireless" to access your Mail server behind "inside" interface and the DNS is causing problem.
If the public DNS is returning the public IP address of the server then I would imagine you would have the possibility to Static NAT the local server to the public IP address also towards "wireless" the same way its translated towards "outside".
For example
static (inside,wireless)
This would naturally mean that any connection that the hosts behind "wireless" need to form to the destination server would have to use the public IP address as the destination IP.
Also, to my understanding if you have already used DNS rewrite in the Static NAT/PAT configuration before to make the ASA change the DNS reply to point to the local IP address then this should also work for the users behind "wireless"
Let me know if this was what you were looking for and if I understood the situation/requirements correctly.
Hope this helps
- Jouni
11-05-2013 05:55 AM
11-06-2013 07:47 AM
Hi,
So if I understood correctly you are actually trying to connect to the actual ASA device with the help of this NAT?
If you are forming a connection to the actual ASA device then you will always have to use the interface IP address of the interface behind which you are currently located. You wont be able to use NAT to do translation for your actual interface IP address.
So if hosts on "wireless" connecto the ASA with VPN or just otherwise want to manage the ASA for example then you will have to use the "wireless" interface IP address for that purpose.
The Static NAT/PAT we did originally was for an actual host behind the "inside" interface of the ASA so that type of NAT is fine.
If you are trying to provide a NAT IP address for a local IP address that is actually an IP address configured on an ASA interface then that is not possible.
- Jouni
11-05-2013 04:51 AM
Hi,
So if I understood correctly from your previous discussion and the above information then you want to the users behind "wireless" to access your Mail server behind "inside" interface and the DNS is causing problem.
If the public DNS is returning the public IP address of the server then I would imagine you would have the possibility to Static NAT the local server to the public IP address also towards "wireless" the same way its translated towards "outside".
For example
static (inside,wireless)
This would naturally mean that any connection that the hosts behind "wireless" need to form to the destination server would have to use the public IP address as the destination IP.
Also, to my understanding if you have already used DNS rewrite in the Static NAT/PAT configuration before to make the ASA change the DNS reply to point to the local IP address then this should also work for the users behind "wireless"
Let me know if this was what you were looking for and if I understood the situation/requirements correctly.
Hope this helps
- Jouni
11-05-2013 05:51 AM
You are a hero. I have been fucking around with this for the bigger part of this morning. I love you.
11-05-2013 05:55 AM
Hah
Glad you got it working
- Jouni
11-06-2013 02:27 AM
Hey Jouni,
If it's not too much of a hassle could you take a look at this for me?
I adapted your configuration to PAT instead of NAT, which works brilliantly for the services located on the internal server, but not so much for the webvpn running on the firewall itself.
I used this rule:
static (inside,wireless) tcp outside_ip 444 gw_inside 444 netmask 255.255.255.255
And the error I receive is:
Deny IP spoof from (192.168.x.x) to outside_ip on interface wireless
Your time and knowledge is much appreciated!
John
11-06-2013 02:31 AM
Hi,
What are you attempting to do with the WebVPN? I presume you mean Clientless (portal based) VPN?
- Jouni
11-06-2013 02:34 AM
Well both Clientless VPN and AnyConnect are accessible on that port, but I'm really only interested in accessing the AnyConnect service.
John
11-06-2013 02:37 AM
Hi,
So are you saying that you are running VPN on the "wireless" interface and the "wireless" users connect to that interface with VPN to gain access to your "inside" network server?
If so then I would have need to see the configurations.
- Jouni
11-06-2013 02:46 AM
Correct, what configurations do you need?
Static NAT (same as posted before):
static (inside,wireless) tcp outside_ip 444 gw_inside 444 netmask 255.255.255.255
Webvpn configuration:
webvpn
port 444
enable outside
enable wireless
dtls port 444
no anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc enable
11-06-2013 02:53 AM
Hi,
I would like to see all the VPN related configurations to the AnyConnect the users behind "wireless" are using. Tunnel Groups, Group Policys, possible related ACLs, NAT configurations, etc
- Jouni
11-06-2013 03:14 AM
Hi Jouni,
The VPN service itself works perfectly fine on the outside interface. If you still need them I'll send them by PM if that's okay with you.
John
11-06-2013 05:23 AM
Hi,
What is the Static PAT configuration between "wireless" and "wireless" for the port TCP/444? Is this the connection you are trying that is not working?
The other Static PAT configurations are between "inside" and "wireless" which was the original aim I guess?
If this was not the problem then can you post the output of "show route" and tell me the VPN Pool IP address range/network while you are connected from the "wireless" interface with VPN.
I am not sure though why your wireless users are connecting to the ASA with VPN or are you trying to limit connections to your internal network only to some specific users behind the "wireless" interface?
- Jouni
11-06-2013 06:48 AM
Yes, that's the one, and yes access to the internal network is restricted to only a few users on the wireless interface.
Basically I want the wireless network to function as a seperate network with only internet access". It's usually only used by guests but every now and then I or one of my colleagues needs to access the internal network over it. The static PAT's between inside and wireless are those needed to access our SBS server as if we were connecting from the internet, those work fine. The wireless, wireless PAT is the one I hoped would allow a connection to outside_ip:444 to be picked up by the ASA itself. Basically I want the ASA to respond if I try to connect to outside_ip:444 from the wireless network.
Hope this clarifies my intentions enough.
11-06-2013 07:47 AM
Hi,
So if I understood correctly you are actually trying to connect to the actual ASA device with the help of this NAT?
If you are forming a connection to the actual ASA device then you will always have to use the interface IP address of the interface behind which you are currently located. You wont be able to use NAT to do translation for your actual interface IP address.
So if hosts on "wireless" connecto the ASA with VPN or just otherwise want to manage the ASA for example then you will have to use the "wireless" interface IP address for that purpose.
The Static NAT/PAT we did originally was for an actual host behind the "inside" interface of the ASA so that type of NAT is fine.
If you are trying to provide a NAT IP address for a local IP address that is actually an IP address configured on an ASA interface then that is not possible.
- Jouni
11-08-2013 05:57 AM
Hi Jouni,
Alright, too bad that's not possible. Thanks again for the clarification!
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide