01-16-2023 03:47 PM
Good Day All,
I'm a newbie with Cisco ASA , i have an issue after setting up a guest wifi for my organization.
Here the Topo
Internal user are on : 10.20.20.0/24 and Guest users are on : 192.168.1.0/24 , DMZ is : 10.30.30.0/24
Internal users use internal DNS and Guest users use google( 8.8.8.8) .
There is a nat ( dynamic PAT ) on the WAN interface of the ASA in place allowing internal users to surf the internet as well as the Guest users.
We have an internal webserver in the DMZ : 10.30.30.57
Internal users go directly to the www.thewebserver.ca got resolve to the internal IP and everything is good , my issue start when Guest users are trying to go to the same internal webserver ,then got resolve to the public IP and it does not display the page.
I read about DNS doctoring but as i said i'm not a pro with ASA , can someone help me with that plz.
I would appreciate .
Thank you
Access list are in place as well.
Solved! Go to Solution.
01-19-2023 01:43 AM
If you are looking to configure twice NAT it would look something like the following
Original Packet
source interface: Guest
Source address: 192.168.1.0/24
destination interface: dmz
destination address: 200.200.200.3
Translated Packet
Source NAT Type: Static
Source Address: 192.168.1.0/24
Destination address: 10.30.30.57
In addition to this you need to configure an access rule for Guest network to access 10.30.30.57
01-16-2023 03:51 PM
Forget to mention . I'm running version 9.16(4)
01-16-2023 03:54 PM
Four interface on the ASA : inside, outside, dmz, guest
Webserver public IP : 200.200.200.3 and private ip : 10.30.30.57
01-17-2023 12:13 AM
@JakeYllus configure a NAT reflection rule, here is an example.
01-17-2023 12:49 AM
DNS doctoring is quite easy. Just add the "DNS" option to the NAT rule for the Web-server. The only restriction is that this Webserver-NAT rule has to be a static 1:1 NAT rule and not "only" a port forwarding.
01-17-2023 09:08 PM
Hello @Karsten Iwen !
Thanks for your help , just for me to understand .
I have to add the DNS option to the NAT rule that allow the webserver to be accessible from the outside ?
As i said the server is on DMZ so i should look for a rule ( DMZ,OUTSIDE ) ??
Thanks in advance for you response.
01-17-2023 11:14 PM
Exactly. An Example:
Another restriction: The client has to use pure DNS, no DNScrypt, DoT, DoH or something.
01-18-2023 01:14 AM
You should be looking for a NAT rule for Webserver public and webserver private IPs and add the DNS keyword to this one.
If you are having trouble identifying which rule it is, you can either post the NAT output here or you can create a "twice NAT" rule between the guest network and the webserver where you NAT the webserver public IP to its private IP and the maintain the guest network IP as original.
01-18-2023 08:49 PM
Thanks again @Marius Gunnerud
I tried to configure it but give me an error each time, maybe i'm doing it wrong.
How will it look on GUI ?
Thank you
I
01-19-2023 01:43 AM
If you are looking to configure twice NAT it would look something like the following
Original Packet
source interface: Guest
Source address: 192.168.1.0/24
destination interface: dmz
destination address: 200.200.200.3
Translated Packet
Source NAT Type: Static
Source Address: 192.168.1.0/24
Destination address: 10.30.30.57
In addition to this you need to configure an access rule for Guest network to access 10.30.30.57
01-22-2023 04:37 PM
Hello @Marius Gunnerud
That worked beautifully
Thanks for your help .
01-17-2023 01:20 AM
As it has been mentioned by others here, you need to configure DNS doctoring / re-write either by adding the DNS keyword at the end of the NAT statement for the relevant server or via ASDM selecting "Translate DNS replies that match this rule" under the relevant NAT rule.
Since this re-writes the DNS reply from the public IP to the private IP, you will also need to create an access rule for the guest users that allows access to the private IP of the webserver otherwise they will still not get access.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide