Internal Web server not reachable for internal users

Idris Kanchwala · ‎03-31-2013

Dear Experts,

I have currently deployed an asa in my lab, I have setup a webserver which is in the inside zone based on IP address no DNS,mean I just have to put the IP and it works directly no need for name resolution and enabled portforwarding on asa using outside interface ip address,

problem is outside users can access my web server but internal users can't unless they put the private ip of server in browser, I have also enabled

dns doctoring, but that is of no use. Please help, thnaks a lot in Advance.

malshbou · ‎03-31-2013

Hi Idris,

This is expected.

As the local clients are located at the same subnet of the server, they are supposed to access the server using its private IP, they even do not go through the ASA to reach the server.

The port-forwarding NAT done at the ASA affecst users coming from the global interface "outside" of the NAT.

You can unify the way the users access your server by using a DNS server, and then access the server using its domain name.

Hope this helps

------------------
Mashal Alshboul

------------------ Mashal Shboul

Andrew Phirsov · ‎03-31-2013

Technically you can allow access to your webserver's public ip from inside subnet, using kind of nat-hairpinning, i.e:

nat (inside,inside) source dynamic any any destination static HTTP_SERVER_PUBLIC_IP HTTP_SERVER_PRIVATE_IP service http http

With this nat-rule asa will do proxy-arp for that public-ip (wich in your case ip of your outside interface) for the arp-request from inside.

Plus, doing this you'd have to permit traffic from inside to inside (cause it goes through asa, althoug on the same interface). I.e. some kind of:

access-list INSIDE_TO_OUTSIDE extended permit tcp any HTTP_SERVER_PRIVATE_IP service http

douglasbrantley · ‎04-17-2013

Device Type: ASA5505

ASA Version: 8.2(5)

ASDM Version: 6.4(5)

I have the same issue.

The web server behind the firewall is unavailable to internal users.

If I connect to the web server, login and run the web browser, the web site is unavaiable.

I attempted the recommended solution above but encountered errors.

General Case:

nat (inside,inside) source dynamic any any destination static

HTTP_SERVER_PUBLIC_IP HTTP_SERVER_PRIVATE_IP service http http

Specific Case:

nat (inside,inside) source dynamic any any destination static 208.109.184.134 10.0.0.1 service http http

Error Message:

Result of the command:

"nat (inside,inside) source dynamic any any destination static 208.109.184.134 10.0.0.1 service http http"

nat (inside,inside) source dynamic any any destination static 208.109.184.134 10 ^.0.0.1 service http http

ERROR: % Invalid input detected at '^' marker.

-------------------------------------------------------------------

General Case:

access-list INSIDE_TO_OUTSIDE extended permit tcp any HTTP_SERVER_PRIVATE_IP service http

Specific Case:

access-list INSIDE_TO_OUTSIDE extended permit tcp any 10.0.0.1 service http

Error Message:

Result of the command: "access-list INSIDE_TO_OUTSIDE extended permit tcp any 10.0.0.1 service http"

access-list INSIDE_TO_OUTSIDE extended permit tcp any 10.0.0.1 service http
^
ERROR: % Invalid Hostname

---------------------------------------------------------------------

Any help will be greatly appreciated. Thanks.

db

Jouni Forss · ‎04-17-2013

Hi,

Your ASA software version is older than original posters. Therefore the NAT format wont apply to your ASA.

Can you start a new discussion on these forums with background information and ASA configurations and lets look through this situation.

- Jouni

douglasbrantley · ‎04-25-2013

I have no idea how to start a new discussion, so...

Here is my firewall configuration:

!
ASA Version 8.2(5)

!

terminal width 511

hostname asa5505

domain-name nnnn.mmmmmmm.net

enable password QQQQQQQQQQQQ encrypted

passwd QQQQQQQQQQQ encrypted

names

dns-guard

!

interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full

!

interface Ethernet0/1

!

interface Ethernet0/2
shutdown

!

interface Ethernet0/3
shutdown

!

interface Ethernet0/4
shutdown

!

interface Ethernet0/5
shutdown

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.254 255.255.255.0
!

interface Vlan2
nameif outside
security-level 0
ip address 208.109.184.27 255.255.255.0

!

ftp mode passive

dns server-group DefaultDNS
domain-name nnnn.mmmmmmm.net

access-list outside_access_in extended permit tcp any any eq ftp-data

access-list outside_access_in extended permit tcp any any eq ftp

access-list outside_access_in extended permit tcp any any eq ssh

access-list outside_access_in extended permit tcp any any eq 42

access-list outside_access_in extended permit udp any any eq nameserver

access-list outside_access_in extended permit tcp any any eq domain

access-list outside_access_in extended permit udp any any eq domain

access-list outside_access_in extended permit tcp any any eq www

access-list outside_access_in extended deny tcp any any eq pop3

access-list outside_access_in extended permit tcp any any eq https

access-list outside_access_in extended permit tcp any any eq 465

access-list outside_access_in extended permit tcp any any eq 587

access-list outside_access_in extended permit tcp any any eq 995

access-list outside_access_in extended permit tcp any any eq 993

access-list outside_access_in extended permit tcp any any eq 3389
access-list outside_access_in extended permit tcp any any eq 8443

access-list outside_access_in extended permit tcp any any eq 2006
access-list outside_access_in extended permit tcp any any eq 8447

access-list outside_access_in extended permit tcp any any eq 9999

access-list outside_access_in extended permit tcp any any eq 2086

access-list outside_access_in extended permit tcp any any eq 2087

access-list outside_access_in extended permit tcp any any eq 2082

access-list outside_access_in extended permit tcp any any eq 2083

access-list outside_access_in extended permit tcp any any eq 2096

access-list outside_access_in extended permit tcp any any eq 2095

access-list outside_access_in extended permit tcp any any eq 8880
access-list outside_access_in extended deny tcp any any eq telnet

access-list outside_access_in extended deny tcp any any eq smtp

access-list outside_access_in extended deny tcp any any eq imap4

access-list outside_access_in extended deny tcp any any eq 1433

access-list outside_access_in extended deny tcp any any eq 3306

access-list outside_access_in extended deny tcp any any eq 9080

access-list outside_access_in extended deny tcp any any eq 9090

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit icmp any any source-quench
access-list outside_access_in extended permit icmp any any unreachable

access-list outside_access_in extended permit icmp any any time-exceeded

access-list inside_access_in extended permit ip any any

no pager

logging enable

logging timestamp

logging buffered warnings

logging history warnings

logging asdm notifications

logging queue 500

mtu inside 1500

mtu outside 1500

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm history enable
arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (outside,inside) 10.0.0.2 208.109.186.139
netmask 255.255.255.255
static (inside,outside) 208.109.186.139 10.0.0.2
netmask 255.255.255.255
static (outside,inside) 10.0.0.3 208.109.186.154
netmask 255.255.255.255
static (inside,outside) 208.109.186.154 10.0.0.3
netmask 255.255.255.255
static (outside,inside) 10.0.0.1 208.109.184.134
netmask 255.255.255.255
static (inside,outside) 208.109.184.134 10.0.0.1
netmask 255.255.255.255
access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 208.109.184.254 1
route outside 0.0.0.0 255.255.255.0 208.109.184.254 1

route outside 192.168.101.3 255.255.255.255 208.109.184.254 1

route outside 192.168.105.3 255.255.255.255 208.109.184.254 1

route outside 192.168.109.3 255.255.255.255 208.109.184.254 1

route outside 208.109.96.4 255.255.255.255 208.109.184.254 1

route outside 208.109.188.4 255.255.255.255 208.109.184.254 1

route outside 216.69.160.4 255.255.255.255 208.109.184.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record Dflt
AccessPolicy

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp inside

crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5

console timeout 0

management-access outside
d
hcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username XXXXXXXXXXX password QQQQQQQQQQQQ encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context
no call-home
reporting anonymous

Julio Carvajal · ‎04-25-2013

Hello Douglas,

Just go to the main firewall page and create a new treath, this to make everything more organized and keep the posts clean,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

douglasbrantley · ‎05-08-2013

I fixed the problem but did not use a firewall configuration change to enable the fix.

While the installation of the Cisco ASA 5505 caused the problem,

I decided not to focus on the firewall configuration.

I dug deep into the web application for the failure points.

This pointed me to name resolution and DNS.

I installed the Windows Server 2003 DNS Server.

Created a Zone for the server and A Records.

The DNS only resolves for DNS queries made from within the server.

All of the A Records point to the Inside IP Addresses for the Host names.

. 10.0.0.1

wwww 10.0.0.1

www 10.0.0.1

ww 10.0.0.1

w 10.0.0.1

The web application is working great.

db