DNS & NAT Issue using 8.6 unable to access web server

martin watterston · ‎10-02-2013

HI, i'm looking for help with a DNS & NAT issue. We have a customer who does their own dns and also hosts their own web server for their website. It has a DMZ address which is NAT'd to a public address which all works fine, but when users on the lan try to access the web page they are given the same public ip address as they issue to their ISP, this means traffic from the lan is trying to go out the outside interface and return back in the same interface as the NAT rule tells them to. This does not work, to get round this they have used a NAT rule to NAT lan users to the DMZ address. But now we want to add an interface for guest WiFi access and also access the web page but we can only NAT from either the inside (Lan) or the Guest interface not both at the same time, other than setting up a new dns service to issue the DMZ address can we allow the ASA to go out with a public ip address and access the public ip address of the web server even if they are on the same public ip address subnet? Although they have a DNS server it issues the public ip address as this also sends this record to the ISP and do not want to try split-dns just for a temp guest network.

Many thanks.

Martin.

Maciej Bierkus · ‎10-02-2013

Hi Martin,

Your customer might have 2 zones configured on the DNS - internal and external. I assume that employees use website name and not IP address. Company website name needs to be defined/configured internally, pointing to server's IP address. In general if the name is not defined internaly, local DNS server will enquiry external DNS servers. That is why users get external IP address. I would start with this and see if that makes any difference. Is the issue happening when users use IP address instead of the name?

Maciek

Jouni Forss · ‎10-02-2013

Hi,

The main problem here seems to be for the ASA that it doesnt see the DNS request and therefore doesnt have the chance to modify the DNS reply sent back to the requesting host. If the ASA saw the DNS request/reply you could then use the "dns" parameter in some possible Static NAT command you have for the DMZ server and the ASA would handle modifying the public IP to the actual local IP.

This doesnt seem to be possible in your case however?

I guess the next option would be then to do the Static NAT that you do currently from DMZ to OUTSIDE also for DMZ to INSIDE and DMZ to WIFI

There should be no problem doing this.

You can even go as far as create a NAT rule between DMZ and DMZ which would enable any other DMZ host/server to contact the DMZ server by its public IP address.

So if I were to presume that you currently have a Static NAT configured this way for the DMZ server

object network SERVER

host x.x.x.x

nat (DMZ,OUTSIDE) static y.y.y.y

Then you could consider changing it to

object network SERVER

host x.x.x.x

nat (DMZ,any) static y.y.y.y

Or simply adding another similiar configuration without changing the original

object network SERVER

host x.x.x.x

nat (DMZ,INSIDE) static y.y.y.y

object network SERVER

host x.x.x.x

nat (DMZ,WIFI) static y.y.y.y

Naturally in these cases you would have to take into consideration that all the users behind the other interfaces would now have to use the public IP address to contact the server whatever protocol and port they were using. To make this private to public Static NAT apply only certain services then you would have to configure a Static PAT instead which would look different.

One other option is naturally to do the change on the local DNS server and make it point towards the actual local IP address rather than the public IP address.

- Jouni