08-26-2015 02:06 PM - edited 03-11-2019 11:30 PM
Hi guys. I have like this diagram and guest users must be able to go to some of the internal servers like email, etc .
1 questions is - Must the guest users get it to email server (which is in internal network) only through Outside interface ?
right now I have opened specific ports and ip for access , but some security penetration test examiners don't like it and asked to allow guest access only trough outside... which I can't do cause guest users has internal DNS ip and if I change dns ip to external they go out trough the same Outside int and can't come back to internal network even when I have outside to inside nat rules. why i don't know...
2. why user from guest wirelss (with external dns ip configured) can't go trough Outside int back to Internal network ? How can I fix it ?
Solved! Go to Solution.
08-26-2015 03:42 PM
Will ASA dns doctoring work?
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html
I have to admit I am little confused in #1 with your pen testers... Do they think it is ok for folks on the outside to access the application but folks in wifi guest are not ok?
08-26-2015 03:52 PM
I have to admit I am little confused in #1 with your pen testers... Do they think it is ok for folks on the outside to access the application but folks in wifi guest are not ok?
I totally agree.
As long as the guest interface is a lower security level than the inside interface I can't understand what they are talking about.
Unless they just want to class the guest access as external access and want to consolidate all access on the outside interface.
But then to do that you will need to add extra configuration that isn't necessarily intuitive to read and the simpler you can keep the configuration the better I would have thought.
Jon
08-26-2015 03:42 PM
Will ASA dns doctoring work?
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html
I have to admit I am little confused in #1 with your pen testers... Do they think it is ok for folks on the outside to access the application but folks in wifi guest are not ok?
08-26-2015 03:52 PM
I have to admit I am little confused in #1 with your pen testers... Do they think it is ok for folks on the outside to access the application but folks in wifi guest are not ok?
I totally agree.
As long as the guest interface is a lower security level than the inside interface I can't understand what they are talking about.
Unless they just want to class the guest access as external access and want to consolidate all access on the outside interface.
But then to do that you will need to add extra configuration that isn't necessarily intuitive to read and the simpler you can keep the configuration the better I would have thought.
Jon
08-26-2015 04:13 PM
Nice to know I'm not alone with things like that :)
let me know if DNS doctoring works
08-28-2015 10:47 AM
sorry my friends , I noticed today for destination NAT i still go from Guest wireless interface to Inside(where are my servers ) directly and guest ip translated to Inside ip--which doesn't re-solve security penetration test request .
For DNS doctor option - if I do ping/nslookup of my webmail address its replying with it's own internal ip which is not good . Is it possible to fix it ?
08-27-2015 07:50 AM
thank u guys, i 've applied destination nat and it works , now my guest has external dns ip and able to access trough public ip of our servers.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
sorry my friends , I noticed today for destination NAT i still go from Guest wireless interface to Inside(where are my servers ) directly and guest ip translated to Inside ip--which doesn't re-solve security penetration test request .
For DNS doctor option - if I do ping/nslookup of my webmail address its replying with it's own internal ip which is not good . Is it possible to fix it ?