07-16-2012 09:46 AM - edited 03-11-2019 04:31 PM
Hi,
I am facing problem with my firewall dont know this is related to DNS or Hairpining etc.
Iphone on my Internal Wireless network is not able to register with Microsoft LYNC Server.
iPhone needs to access the URL which resolve Public IP (194.x.x.115) (lyncdiscover.abc.com) located on inside and then one more LYNC EDGE Server public IP address which is on my DMZ segment.
LYNC Discover: 194.x.x.115
Private : 192.168.0.115
LYNC EDGE: 194.x.x.224
Private: 172.16.11.224
Client IP: 192.168.51.45
Firewall configuration
static (inside,outside) 194.x.x.115 192.168.0.115 netmask 255.255.255.255 dns
static (serverdmz,outside) 194.x.x.224 172.16.11.224 netmask 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 194.x.x.66 netmask 255.255.255.255
global (serverdmz) 1 172.16.11.254
I can see the hits on my firewall inside
99759 192.168.51.45.54923 > 194.x.x.115.443: S 2834413288:2834413288(0) win 65535 <mss 1460,nop,wscale 4,nop,nop,timestamp 750068408 0,sackOK,eol>
2: 18:38:32.441719 192.168.51.45.54923 > 194.x.x.115.443: S 2834413288:2834413288(0) win 65535 <mss 1460,nop,wscale 4,nop,nop,timestamp
I think firewall is not allowing Internal client IP address to access the Servers on Public IP address.
External Clients from Internet are able to connect without any issue. Only Internal Clients are not able to connect. Smart phone cannot connect with LYNC through the Internal Private IP addresses. So we have to configure it for the Public IP addresses.
Please assit me how to configure firewall in order to give Internal Client to connect with Firewall Public Public IP addresses.
Solved! Go to Solution.
07-20-2012 01:24 PM
07-16-2012 11:41 AM
Hello,
So internal Iphone users needs to be able to connect to the 194.x.x.115 that belongs to an internal server.
global (inside) 1 interface
static (inside,inside) 194.x.x.115 192.168.0.115
same-security-traffic permit intra-interface
Regards,
Julio
CSC is a free support community, please rate all the helfpul posts.
07-16-2012 12:02 PM
Hi,
Yes Internal Phones should connect with Public IP address.
What should I do the get connectivity with the DMZ Server on the Public IP address.
Do I need to keep the below command as well.
static (inside,outside) 194.x.x.115 192.168.0.115 netmask 255.255.255.255 dns
Do I need to add more configuration for the Public LYNC Server (194.x.x.224) as well.
Please assist.
07-16-2012 12:18 PM
Hello,
You need to keep that command so outside users can acces that server.
CSC is a free support community, please rate all the helfpul posts.
Julio
07-16-2012 06:15 PM
Hi
Please let me know what config require in order to access the DMZ servers on Public ip address from the internal clients.
Sent from Cisco Technical Support iPhone App
07-16-2012 07:40 PM
Ok so now internal users can access the server using the Public IP address. That is good!
Now let's make the second one happen:
static (inside,dmz) 194.x.x.115 192.168.0.115
access-list dmz permit ip any any
access-group dmz in interface dmz
Regards,
Rate all the helpful posts
07-17-2012 05:32 AM
Hi,
I want to acess the DMZ Servers Public IP address from the inside network.
DMZ Private IP address is 172.16.11.224
DMZ Public IP address is 194.x.x.224
Wheneer client from the Internal LAN request for LYNCEDGE.ABC.COM (194.x.x.224). They should access DMZ servers on Public IP address.
Please assist
07-17-2012 08:49 AM
Hi Bro
What you need to enable is DNS Doctoring in your Cisco ASA Firewall. This will resolve your issue of accesing servers that are internal to your network via Public IP Address. I'm assuming everything else is good e.g. ACL, NAT etc.
Please kindly refer to this URL for further details. http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml
P/S: If you think this comment was helpful, please do rate them nicely :-)
07-17-2012 09:15 AM
Hi,
thanks for the reply, I will apply the below configuration.
access-list acl-serverdmz extended permit tcp host 172.16.11.224 any range 50000 59999
access-list acl-serverdmz extended permit udp host 172.16.11.224 any range 50000 59999
access-list acl-serverdmz extended permit udp host 172.16.11.224 any eq 3478
access-list acl-serverdmz extended permit tcp host 172.16.11.224 any eq https
access-list acl-serverdmz extended permit tcp host 172.16.11.224 any eq 5061
access-list acl-serverdmz extended permit udp host 172.16.11.224 any eq domain
access-list acl-serverdmz extended permit tcp host 172.16.11.224 any eq www
access-list acl-out extended permit tcp any host 194.x.x.224 range 50000 59999
access-list acl-out extended permit udp any host 194.x.x.224 range 50000 59999
access-list acl-out extended permit udp any host 194.x.x.224 eq 3478
access-list acl-out extended permit tcp any host 194.x.x.224 eq https
access-list acl-out extended permit tcp any host 194.x.x.224 eq 5061
access-list acl-in extended permit ip host 192.168.51.45 any
nat (inside) 6 access-list aclnat_serverdmz
nat (inside) 1 0.0.0.0 0.0.0.0
nat (serverdmz) 1 172.16.11.0 255.255.255.0
global (outside) 1 194.x.x.66 netmask 255.255.255.255
global (inside) 1 interface
global (serverdmz) 1 172.16.11.254
global (serverdmz) 6 interface
I want my internal client 192.168.51.45 can access the DMZ servers on the Public IP addresses.
Let me know if I am missing something.
07-17-2012 09:30 AM
Hi Bro
I don't see any DNS Doctoring statements in there.
07-17-2012 11:00 PM
Hi,
Sorry I m missed the command.
static (serverdmz,outside) 194.x.x.224 172.16.11.224 netmask 255.255.255.255 dns
07-20-2012 01:24 PM
Hi Bro
Is everything OK now?
07-24-2012 09:12 AM
Hi
I will try tomorrow and let u know the status.
Sent from Cisco Technical Support iPhone App
07-26-2012 09:30 AM
It is working thanks
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide