Solved: Re: Guest User can't access internal webserver on DMZ

JakeYllus · ‎01-16-2023

Good Day All,

I'm a newbie with Cisco ASA , i have an issue after setting up a guest wifi for my organization.

Here the Topo
Internal user are on : 10.20.20.0/24 and Guest users are on : 192.168.1.0/24 , DMZ is : 10.30.30.0/24

Internal users use internal DNS and Guest users use google( 8.8.8.8) .

There is a nat ( dynamic PAT ) on the WAN interface of the ASA in place allowing internal users to surf the internet as well as the Guest users.

We have an internal webserver in the DMZ : 10.30.30.57

Internal users go directly to the www.thewebserver.ca got resolve to the internal IP and everything is good , my issue start when Guest users are trying to go to the same internal webserver ,then got resolve to the public IP and it does not display the page.

I read about DNS doctoring but as i said i'm not a pro with ASA , can someone help me with that plz.
I would appreciate .

Thank you

Access list are in place as well.

Marius Gunnerud · ‎01-19-2023

If you are looking to configure twice NAT it would look something like the following

Original Packet
source interface: Guest
Source address: 192.168.1.0/24

destination interface: dmz
destination address: 200.200.200.3

Translated Packet
Source NAT Type: Static
Source Address: 192.168.1.0/24

Destination address: 10.30.30.57

In addition to this you need to configure an access rule for Guest network to access 10.30.30.57

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

JakeYllus · ‎01-16-2023

Forget to mention . I'm running version 9.16(4)

JakeYllus · ‎01-16-2023

Four interface on the ASA : inside, outside, dmz, guest

Webserver public IP : 200.200.200.3 and private ip : 10.30.30.57

Rob Ingram · ‎01-17-2023

@JakeYllus configure a NAT reflection rule, here is an example.

Karsten Iwen · ‎01-17-2023

DNS doctoring is quite easy. Just add the "DNS" option to the NAT rule for the Web-server. The only restriction is that this Webserver-NAT rule has to be a static 1:1 NAT rule and not "only" a port forwarding.

JakeYllus · ‎01-17-2023

Hello @Karsten Iwen !
Thanks for your help , just for me to understand .
I have to add the DNS option to the NAT rule that allow the webserver to be accessible from the outside ?

As i said the server is on DMZ so i should look for a rule ( DMZ,OUTSIDE ) ??
Thanks in advance for you response.

Karsten Iwen · ‎01-17-2023

Exactly. An Example:

Real IP of DMZ-Server: 172.16.1.80
public IP of DMZ-Server: 192.0.2.80, this is the DNS entry for www.company.com
a NAT entry (DMZ,outside) to translate these two IPs with the DNS option

A client on the inside (any internal network including guest) asks Google DNS for the IP of www.company.com
Google returns the IP 192.0.2.80
The ASA/FTD compares this DNS answer to the NAT entries and finds a translation for the public IP and the DNS option
The ASA/FTD changes the DNS answer from 192.0.2.80 to 172.16.1.80
the client learns that the server has 172.16.1.80 and does the web request.

Another restriction: The client has to use pure DNS, no DNScrypt, DoT, DoH or something.

Marius Gunnerud · ‎01-18-2023

You should be looking for a NAT rule for Webserver public and webserver private IPs and add the DNS keyword to this one.

If you are having trouble identifying which rule it is, you can either post the NAT output here or you can create a "twice NAT" rule between the guest network and the webserver where you NAT the webserver public IP to its private IP and the maintain the guest network IP as original.

--
Please remember to select a correct answer and rate helpful posts

JakeYllus · ‎01-18-2023

Thanks again @Marius Gunnerud
I tried to configure it but give me an error each time, maybe i'm doing it wrong.

How will it look on GUI ?

Thank you

I

Marius Gunnerud · ‎01-19-2023

If you are looking to configure twice NAT it would look something like the following

Original Packet
source interface: Guest
Source address: 192.168.1.0/24

destination interface: dmz
destination address: 200.200.200.3

Translated Packet
Source NAT Type: Static
Source Address: 192.168.1.0/24

Destination address: 10.30.30.57

In addition to this you need to configure an access rule for Guest network to access 10.30.30.57

--
Please remember to select a correct answer and rate helpful posts

JakeYllus · ‎01-22-2023

Hello @Marius Gunnerud

That worked beautifully
Thanks for your help .

Marius Gunnerud · ‎01-17-2023

As it has been mentioned by others here, you need to configure DNS doctoring / re-write either by adding the DNS keyword at the end of the NAT statement for the relevant server or via ASDM selecting "Translate DNS replies that match this rule" under the relevant NAT rule.

Since this re-writes the DNS reply from the public IP to the private IP, you will also need to create an access rule for the guest users that allows access to the private IP of the webserver otherwise they will still not get access.

--
Please remember to select a correct answer and rate helpful posts