10-04-2019 02:11 PM
DMZ Internal Network
192.168.0.0 -------Firewall-------192.168.1.0
255.255.255.0 | 255.255.255.0
|
|
Internet
204.0.0.3
Web Server: 192.168.0.11 - NAT 204.0.0.11
Internal Net Accessing Internet: 192.168.1.0 - NAT 204.0.0.3
Firewall: ASA ver 7.0
Ok, I'm having an odd problem. I have setup a web server on our DMZ with a private IP address. The firewall is ARPing for the address 204.0.0.11 and forwarding it to the private address on the DMZ. This works fine when accessing from anywhere on the Internet. The problem I am having is that people on the Internal network can't get to the website. They can get to anywhere else on the Internet. I can't figure out what is happening. The Internal requests should go out the external interface of the firewall, get NAT'ed to a real IP address, then try and access the real IP of the website, and come back through, just like accessing any other website out there on the Internet. I see the request going through the firewall, but nothing ever seems to come back to the client.
I don't want the Internal network to have direct access to the DMZ. Am I doing this wrong?
* All IP addresses have been changed to protect the innocent.
Solved! Go to Solution.
10-14-2019 02:14 PM
you just need to add "dns" to the end of the NAT statment. If this doesnt work, you will need to explain more about your network, in particular where you have your DNS server.
static (DMZ,ISP) tcp 204.0.0.11 www 192.168.0.10 www netmask 255.255.255.255 dns
Would recommend upgrading your ASA software as the version you are running is end of support at the end of this month.
10-04-2019 10:08 PM
10-05-2019 12:26 AM
Hairpinning is not required here unless DNS and internal networks are hanging off the same physical interface. But DNS rewrite (aka DNS doctoring) is where to start, but for this to work DNS server needs to be located off a different firewall interface than the internal network. This is done by adding the DNS keyword at the end of the NAT statement for the web server.
If this does not work, please provide a full running configuration of your ASA (remove any public IPs, usernames and passwords). Also, provide the model of ASA you are running.
10-14-2019 01:07 PM
Here is the configuration -
!
interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address 204.0.0.3 255.255.255.0
!
interface Ethernet0/1
nameif INSIDE
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 192.168.0.1 255.255.255.0
!
access-list OUTSIDE_IN extended permit tcp any host 204.0.0.11 eq www
icmp deny any OUTSIDE
global (OUTSIDE) 100 interface
global (OUTSIDE) 110 204.0.0.11
nat (INSIDE) 100 192.168.1.0 255.255.255.0
nat (DMZ) 110 192.168.0.0 255.255.255.0
static (DMZ,ISP) tcp 204.0.0.11 www 192.168.0.10 www netmask 255.255.255.255
access-group OUTSIDE_IN in interface ISP
route ISP 0.0.0.0 0.0.0.0 204.0.0.2 1
Please let me know what I need to configure to reach my goal.
10-14-2019 02:14 PM
you just need to add "dns" to the end of the NAT statment. If this doesnt work, you will need to explain more about your network, in particular where you have your DNS server.
static (DMZ,ISP) tcp 204.0.0.11 www 192.168.0.10 www netmask 255.255.255.255 dns
Would recommend upgrading your ASA software as the version you are running is end of support at the end of this month.
10-14-2019 02:59 PM - edited 10-14-2019 03:00 PM
-> My DNS server is outside of the network. I am using ISP's DNS server.
-> Do you I need to configure ACL from DMZ to INSIDE ?
10-14-2019 03:33 PM
10-19-2019 03:59 PM
Do I need to enable DNS inspection on ASA. According to my network topology/scenario, I am not able to go to web server. Web server can be accessed from outside world but not from ASA's inside to DMZ.
Please help.
10-19-2019 04:42 PM
No you do not need DNS inspection, besides DNS inspection should be enabled by default unless you have cleared all the config and configured from scratch.
most likely your DNS resolution on the inside network returns the public IP of your web server. If this is the case, then the solution provided in this post is the correct solution. However, if you are restriction access with an ACL on the inside interface you need to allow traffic to the private IP of the web server.
A different option would be to configure twice NAT and NAT the destination public IP to the private IP of the web server. Same as with using the DNS keyword, if you use an access list on the inside interface you will need to allow this traffic in that ACL also.
10-05-2019 12:35 AM
Hi,
This is not current configuration but it is required some extra configuration as Hairpin NAT or uses an internal DNS server to redirect your traffic to the web server using the internal IP address only.
DNS Setup Maybe likes:
DNS name: www.xyz.com and Host IP: 192.168.0.X
DNS Name: xyz.com and Host IP: 192.168.0.x
Hairpin Solution Maybe like:
https://networklessons.com/cisco/asa-firewall/cisco-asa-hairpin-internal-server
https://www.petenetlive.com/KB/Article/0000040
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide