Just seeing if someone can help me out with making sure I have the syntax correct and thought process down right on a solution to allowing guest wireless users access to an internal webserver. (DMZ discussion aside)
We have an ASA5510 with interfaces setup as:
outside - 65.x.x.x address
inside - 172.20.1.2
guest_inet - 10.2.1.1
Internally clients resolve our website to 192.168.40.40 and that part works as it should. Clients outside of our network resolve our website to the correct external address (lets just call it 22.214.171.124). We have a NAT statement
static (inside, outside) 126.96.36.199 192.168.40.40 netmask 255.255.255.255 and an ACL to
permit tcp any host 188.8.131.52 eq www
Clients on our guest_int use an external DNS server and hence resolve our website to 184.108.40.206. However it seems traffic goes out and back in our outside interface and this connection never occurs.
What I'm wondering is the correct NAT statement / ACL to add that would allow our internal clients on the 10.2.1.x network to access our internal website. Would that be:
static (inside,guest_inet) 220.127.116.11 192.168.40.40 netmask 255.255.255.255 ? Since there is already an ACL permitting port 80 traffic to 18.104.22.168 we should be taken care of on the ACL side of things, right?
This is one of the newer experiences for me, so I'd appreciate any help you can share. Thank you!
static (inside, outside) 22.214.171.124 192.168.40.40 netmask 255.255.255.255 dns
The parameter "dns" should make it so that as long as your Guest network users do their DNS querys to a public DNS server, they should be able to access the Web server with the URL. With the help of the "dns" parameter the ASA will modify the DNS replys coming from the public DNS server before they get to the Guest client. This will point them to the private IP address of the server even though they normally connect using the DNS name/URL like any other user from public network.
Do notice that if you change the Static NAT command to include the "dns" parameter, ASA will teardown any existing connections to that server from the Internet. Though since you are configuring it again, it shouldnt really be a problem. EDIT: Just to make it clear. The ASA will teardown connections because you have to remove to the existing Static NAT to configure it again with the "dns" parameter.
Also you will have to make sure that the Guest network has an ACL rule to reach the server with its actual IP address.
Now, since our guest_inet interface has a security-level of 10 vs the internal interface security-level of 100 (and the default action is to only permit access to less secure networks) would an access need to be put in place to allow port 80 traffic to the webserver?
If the "guest_inet" doesnt have any kind of ACL attached to the interface and it has a lower security-level than the destination then you need to configure an ACL to the "guest_inet" interface.
Notice that as soon as you have attached an ACL to that interface, you will have to take into account all other traffic you want to allow through that interface (Security-level wont control the traffic anymore since theres an ACL in place). If you only allow TCP/80 the local Web server and dont allow anything else in the "guest_inet" ACL, all other traffic would get denied.
The Cisco Secure Firewall and SecureX teams are looking for feedback from active Secure Firewall users who may or may not have already activated SecureX. Your responses will help us improve the Firepower experience in SecureX. Th...
Related documentsCisco ISE (Identity Services Engine) IPv6 features by release2.6ISE ManagementNetwork Time Protocol SupportDomain Name System SupportExternal RepositoriesAudit Logs and ReportsSimple Network Management ProtocolAccess Control Lists And Dyn...
Site to Site IPSec VPN with Dynamic IP Endpoint is typically used when we have a branch sites which obtains a dynamic public IP from the Internet ISP. For example an ADSL connection.One important note is that Site-to-Site VPN with Dynamic remote routers P...
On R1, configure a key ring that defines the peer R3:Address: 126.96.36.199Local and remote pre-shared key: cisco R1(config)#crypto ikev2 keyring KRR1(config-ikev2-keyring)# peer R3R1(config-ikev2-keyring-peer)# address 188.8.131.52R1(config-ikev2-keyring-pee...