06-17-2010 12:51 AM - edited 03-11-2019 11:00 AM
Hi all!
I don't know if this is a basic issues / knowledge, but I'm kinda confused about it.
I have a ASA 5520 configured with a inside and outside and dmz interface. I have several public IP in use for webservers and stuff.
The case is: When I wants to go from webserver1 to webserver2 on http, I just gets an error. The servers has unique public IP's. This goes for both the URL and the IP.
It is possible to reach the public IP's / URL to both of the servers on http from the outside. These are operating webservers hosting sites.
By the way, the ACL allows all this kind of traffic. I gets no blocking in the firewall monitor.
When I try to reach the URL hosted on the webserver1 from itself, this message in the firewall monitor:
Deny IP due to Land Attack from 213.x.x.10 to 213.x.x.10
Any ideas why I can't reach the servers itself on the public / URL and why the servers can't reach each other.
06-17-2010 02:08 AM
You need to configure DNS doctoring, this will translate the external IP address to the internal IP address, in DNS resolution. I presume when you try to browse from webserver1 to webserver2 - you are using a URL?
DNS Doctoring is disabled by default.
06-17-2010 04:59 AM
Yes I'm using URL to browse. The URL will not be resolved to IP when I'm pinging from webserver1 to 2:
"Ping request could not find host website.com. Please check the name and try again."
When I telnet the webserver1 from 2 at the public IP and tcp/80 it just times out. It seams we have 2 problems here. The missing DNS response, and the webservers can't reach itself or the other webserver.
It is important to remember, that from a client in another dmz (public IP: 213.x.x.30) I have no problems reaching the webserver on 213.x.x.10.
Could it be, that the webservers is on the same dmz?
06-17-2010 05:09 AM
Yes I'm using URL to browse. The URL will not be resolved to IP when I'm pinging from webserver1 to 2:
"Ping request could not find host website.com. Please check the name and try again." - which DNS server are you using?
When I telnet the webserver1 from 2 at the public IP and tcp/80 it just times out. It seams we have 2 problems here. The missing DNS response, and the webservers can't reach itself or the other webserver. - can you telnet to server 2 from server 1 using just the DMZ IP address?
It is important to remember, that from a client in another dmz (public IP: 213.x.x.30) I have no problems reaching the webserver on 213.x.x.10.
Could it be, that the webservers is on the same dmz? - It would suggest that is the case.
06-17-2010 05:18 AM
Yes I'm using URL to browse. The URL will not be resolved to IP when I'm pinging from webserver1 to 2:
"Ping request could not find host website.com. Please check the name and try again."
which DNS server are you using?
I'm using a internal server, it's on another DMZ, but works fine eg. when querying google.com.
When I telnet the webserver1 from 2 at the public IP and tcp/80 it just times out. It seams we have 2 problems here. The missing DNS response, and the webservers can't reach itself or the other webserver. - can you telnet to server 2 from server 1 using just the DMZ IP address?
Yes.
It is important to remember, that from a client in another dmz (public IP: 213.x.x.30) I have no problems reaching the webserver on 213.x.x.10.
Could it be, that the webservers is on the same dmz? - It would suggest that is the case.
Bravo, I thought too. But why would it matter? It's this problem I need a solution for.
06-17-2010 05:23 AM
Check that your DNS server has an A Record for the servers you are working on.
If you can telnet using IP addresses - then your issue is DNS
Check you static NAT or Dynamic NAT configuration - ensure that you have the "DNS" key word at the end of the config line for the webservers.
HTH>
06-17-2010 05:31 AM
If you can telnet using IP addresses - then your issue is DNS
I can't telnet on the public ip - only on the local.
It leads me to say, that the DNS doctoring is not necessary at this level, because we're fault seeking on the IP-layer and not the DNS.
See the link for screenshot of a packet trace I did. I've used the 2 webservers public IP's in this scenario,
http://www.postimage.org/image.php?v=aVGfKQJ
When I use the local IP on source and public on destination, it works fine in the trace, but when I looks deeper in the NAT segment, I see, that it is the same public IP it goes out and in with. So suddenly the destination is not the webserver2 but itself webserver1.
06-17-2010 05:50 AM
I am confused - what issue do you want to fix?
06-17-2010 11:47 PM
I want to fix the problem the heading of this post describes. Back to basics:
I can't telnet on the public ip - only on the local. From server1 to 2
Both servers are as told NAT-et to a unique public IP.
Why can't I reach the server itself on the public IP?
06-18-2010 01:24 AM
It is not a good idea to try to access the webservers using their public address from the DMZ segment or from the INSIDE segment. We can do some hack and make this work but, this is not recommended. Pls. use only the private address when accessing the DMZ server from within the DMZ segment or from the INSIDE segment. Public addresses are only to be used from the OUTSIDE world.
-KS
06-18-2010 01:41 AM
Could you give a description of why this is not common to access the webserver on its public IP from Inside and inside its own DMZ?
It's because server1 needs to access a lot of websites to manage a login system. The system works by URL, and all the URL is defined in the login system. Server1 has its primary DNS Servers as an internal server which has all the URLs defined with their public addresses.
06-18-2010 02:45 AM
Being able to telnet to the servers is not important.
Read the below link:-
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml
06-18-2010 01:25 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide