Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1116
Views
0
Helpful
5
Replies

Guest wireless access trough firewall

Go to solution
Bekzod Fakhriddinov
Level 4
Level 4

‎08-26-2015 02:06 PM - edited ‎03-11-2019 11:30 PM

Hi guys. I have like this diagram and guest users must be able to go to some of the internal servers like email, etc .


 

1 questions is - Must  the guest users get it to email server (which is in internal network) only through Outside interface ?

right now I have opened specific ports and ip for access , but some security penetration test examiners don't like it and asked to allow guest access  only trough outside... which I can't do cause guest users has internal DNS ip and if I change dns ip to external they go out  trough the same Outside int and can't come back to internal network even when I have outside to inside nat rules. why i don't know...

2. why  user from guest wirelss (with external dns ip configured) can't go trough Outside int back to Internal network ? How can I fix it ? 

 

 

sorry my friends , I noticed today for destination NAT i still go from Guest wireless interface to Inside(where are  my servers ) directly and guest ip translated to Inside ip--which doesn't re-solve security penetration test request  .

For DNS doctor option - if I do ping/nslookup of my webmail address its replying with it's own internal ip which is not good .  Is it possible to fix it ?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Josh Sprang
Level 1
Level 1

‎08-26-2015 03:42 PM

Will ASA dns doctoring work?

 

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html

 

I have to admit I am little confused in #1 with your pen testers...  Do they think it is ok for folks on the outside to access the application but folks in wifi guest are not ok?   

View solution in original post

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Josh Sprang

‎08-26-2015 03:52 PM

I have to admit I am little confused in #1 with your pen testers...  Do they think it is ok for folks on the outside to access the application but folks in wifi guest are not ok?

I totally agree.

As long as the guest interface is a lower security level than the inside interface I can't understand what they are talking about.

Unless they just want to class the guest access as external access and want to consolidate all access on the outside interface.

But then to do that you will need to add extra configuration that isn't necessarily intuitive to read and the simpler you can keep the configuration the better I would have thought.

Jon

 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Josh Sprang
Level 1
Level 1

‎08-26-2015 03:42 PM

Will ASA dns doctoring work?

 

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html

 

I have to admit I am little confused in #1 with your pen testers...  Do they think it is ok for folks on the outside to access the application but folks in wifi guest are not ok?   

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Josh Sprang

‎08-26-2015 03:52 PM

I have to admit I am little confused in #1 with your pen testers...  Do they think it is ok for folks on the outside to access the application but folks in wifi guest are not ok?

I totally agree.

As long as the guest interface is a lower security level than the inside interface I can't understand what they are talking about.

Unless they just want to class the guest access as external access and want to consolidate all access on the outside interface.

But then to do that you will need to add extra configuration that isn't necessarily intuitive to read and the simpler you can keep the configuration the better I would have thought.

Jon

 

0 Helpful

Go to solution
Josh Sprang
Level 1
Level 1
In response to Jon Marshall

‎08-26-2015 04:13 PM

Nice to know I'm not alone with things like that :)

let me know if DNS doctoring works

0 Helpful

Go to solution
Bekzod Fakhriddinov
Level 4
Level 4
In response to Josh Sprang

‎08-28-2015 10:47 AM

sorry my friends , I noticed today for destination NAT i still go from Guest wireless interface to Inside(where are  my servers ) directly and guest ip translated to Inside ip--which doesn't re-solve security penetration test request  .

For DNS doctor option - if I do ping/nslookup of my webmail address its replying with it's own internal ip which is not good .  Is it possible to fix it ?

0 Helpful

Go to solution
Bekzod Fakhriddinov
Level 4
Level 4

‎08-27-2015 07:50 AM

thank u guys, i 've applied destination nat and it works , now my guest has external dns ip and able to access trough public ip of our servers.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card