cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1031
Views
0
Helpful
10
Replies

How to allow access from LAN to server on LAN using external FQDN? (Outlook web access issue)

cadek1fraen
Beginner
Beginner

I may have phrased the topic not too clearly, but I have an external domain name of mail.company.com , I want my users INSIDE the company be able to also get to https://mail.company.com , currently they cannot (nothing loads, looks to me as if firewall simply drops it) and I'm drawing a blank on how to get this done. Externally this works fine so if you're outside the company you can load up OWA just fine since my NAT rule translates the external IP to internal IP, but something is blocking this from the inside.

I have an ASA 5510.

If you can just sent me on the right path with theory I'll figure it out on my own, I don't need exact steps, but I must be thinking of this wrong as I'm not getting anywhere.

10 Replies 10

luisroja
Beginner
Beginner

Hello Martin,

Maybe what is happening is that the DNS entry is pointing to the public IP address of the server, so it could be that the internal users are forwarding the traffic to the public IP address of the server and the ASA will drop the packet since the hosts are going to try to contact the server from the inside when actually there is a NAT rule that translate the internal server on the outside with a public IP. The traffic will try to contact that server going to the outside interface, but the ASA will notice that the connection was initiated on the inside interface, so it will refuse the connection.

There is a solution for this issue. You can create a static NAT rule that matches le that translate the internal host to the public IP address, in this case, instead of -inside,outside-, the rule is going to be -inside,inside-.

For example:

Let`s say that there is a static NAT that match the following statement for the inbound traffic coming on the outside:

static (inside,outside) {public IP} {private IP}

There should be one that says the same but with inside,inside:

static (inside,inside) {public IP} {private IP}

Please configure that rule and let me know the results.

Thanks.

--Armando Rojas

I have added an inside,inside rule as you specified but same result , still am unable to get to mail.company.com from inside.

after, I have also added an access rule (just in case) to allow any source on inside interface to public_IP for "https" (I didn't think this is necessary but figured it can't hurt), this also did not help.