cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1287
Views
0
Helpful
10
Replies

How to allow access from LAN to server on LAN using external FQDN? (Outlook web access issue)

cadek1fraen
Level 1
Level 1

I may have phrased the topic not too clearly, but I have an external domain name of mail.company.com , I want my users INSIDE the company be able to also get to https://mail.company.com , currently they cannot (nothing loads, looks to me as if firewall simply drops it) and I'm drawing a blank on how to get this done. Externally this works fine so if you're outside the company you can load up OWA just fine since my NAT rule translates the external IP to internal IP, but something is blocking this from the inside.

I have an ASA 5510.

If you can just sent me on the right path with theory I'll figure it out on my own, I don't need exact steps, but I must be thinking of this wrong as I'm not getting anywhere.

10 Replies 10

luisroja
Level 1
Level 1

Hello Martin,

Maybe what is happening is that the DNS entry is pointing to the public IP address of the server, so it could be that the internal users are forwarding the traffic to the public IP address of the server and the ASA will drop the packet since the hosts are going to try to contact the server from the inside when actually there is a NAT rule that translate the internal server on the outside with a public IP. The traffic will try to contact that server going to the outside interface, but the ASA will notice that the connection was initiated on the inside interface, so it will refuse the connection.

There is a solution for this issue. You can create a static NAT rule that matches le that translate the internal host to the public IP address, in this case, instead of -inside,outside-, the rule is going to be -inside,inside-.

For example:

Let`s say that there is a static NAT that match the following statement for the inbound traffic coming on the outside:

static (inside,outside) {public IP} {private IP}

There should be one that says the same but with inside,inside:

static (inside,inside) {public IP} {private IP}

Please configure that rule and let me know the results.

Thanks.

--Armando Rojas

I have added an inside,inside rule as you specified but same result , still am unable to get to mail.company.com from inside.

after, I have also added an access rule (just in case) to allow any source on inside interface to public_IP for "https" (I didn't think this is necessary but figured it can't hurt), this also did not help.

Can you please add teh following commands on the ASA?

global (inside) 1 interface    -----> in case that there is a nat (inside) 1 X X

same-security-traffic permit intra-interface

Let me know if that works.

Thanks.

Please noticed that we also have the DNS doctoring feature on the ASA to accomplish this.

Find the solutions for the issue on the following document:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

Let me know if that helps.

Thanks.

Great article, wish I found it through google currently I have this

NAT:

global (EXTERNAL) 101 interface

nat (PROTECTED) 0 access-list PROTECTED_nat0_outbound

nat (PROTECTED) 101 0.0.0.0 0.0.0.0

---many other static commands----

static (PROTECTED,EXTERNAL) public_IP private_IP netmask 255.255.255.255 dns

static (PROTECTED,PROTECTED) public_IP private_IP netmask 255.255.255.255

I am also inspection DNS

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

access rule applied to outside interface (which I know works from outside ) there are 2 different servers so that's why it uses object-group there.

access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq https

If you are planning Hairpinning and static NAT, you are missing the global (PROTECTED) 101 interface and the same-security-traffic permit intra-interface command.

If you want to use the DNS Doctoring, you are missing the following MPF commands:

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

Let me know if you experience issues with one of these options.

Thanks.

the only global command I have is this: global (outside) 101 interface

should I still do this?

On this case, you should use:

global (inside) 101 interface

And permit the same-security-traffic:

same-security-traffic permit intra-interface

Let me know if that helps.

Where do the users get the DNS for the company.com domain?

if its a DNS server on the outside, the ASA can tweak the DNS resposes for IPs it is NATing. This feature is called "DNS rewrite" and its a check box in ASDM that you can turn on per NAT entry.

or you can add a zone to the internal MS DNS server that points mail.company.com (and any others you need) at the proper internal ip. (Microsoft calls this "split DNS"). Basically you end up managing DNS for external stuff twice.

Sent from Cisco Technical Support iPad App

Should I try the DNS rewrite on my inside,outside NAT rule or the inside,inside as armando mentioned?

and thank you for the split DNS idea, I will look into this as I am not too familiar with it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: