Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4200
Views
0
Helpful
9
Replies

Problem Accessing Web Server on DMZ from Internal Network

Go to solution
patelparth3
Level 1
Level 1

‎10-04-2019 02:11 PM 

DMZ                                 Internal Network
192.168.0.0   -------Firewall-------192.168.1.0
255.255.255.0           |           255.255.255.0
                        |
                        |
                     Internet
                     204.0.0.3



Web Server: 192.168.0.11 - NAT 204.0.0.11
Internal Net Accessing Internet: 192.168.1.0 - NAT 204.0.0.3

Firewall: ASA ver 7.0

Ok, I'm having an odd problem. I have setup a web server on our DMZ with a private IP address. The firewall is ARPing for the address 204.0.0.11 and forwarding it to the private address on the DMZ. This works fine when accessing from anywhere on the Internet. The problem I am having is that people on the Internal network can't get to the website. They can get to anywhere else on the Internet. I can't figure out what is happening. The Internal requests should go out the external interface of the firewall, get NAT'ed to a real IP address, then try and access the real IP of the website, and come back through, just like accessing any other website out there on the Internet. I see the request going through the firewall, but nothing ever seems to come back to the client.

I don't want the Internal network to have direct access to the DMZ. Am I doing this wrong?

* All IP addresses have been changed to protect the innocent.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to patelparth3

‎10-14-2019 02:14 PM

you just need to add "dns" to the end of the NAT statment.  If this doesnt work, you will need to explain more about your network, in particular where you have your DNS server.

static (DMZ,ISP) tcp 204.0.0.11 www 192.168.0.10 www netmask 255.255.255.255 dns

Would recommend upgrading your ASA software as the version you are running is end of support at the end of this month.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Marius Gunnerud
VIP
VIP
In response to bhargavdesai

‎10-05-2019 12:26 AM

Hairpinning is not required here unless DNS and internal networks are hanging off the same physical interface.  But DNS rewrite (aka DNS doctoring) is where to start, but for this to work DNS server needs to be located off a different firewall interface than the internal network.  This is done by adding the DNS keyword at the end of the NAT statement for the web server.

If this does not work, please provide a full running configuration of your ASA (remove any public IPs, usernames and passwords).  Also, provide the model of ASA you are running.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
patelparth3
Level 1
Level 1
In response to Marius Gunnerud

‎10-14-2019 01:07 PM

Here is the configuration -

 

!
interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address 204.0.0.3 255.255.255.0
!
interface Ethernet0/1
nameif INSIDE
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 192.168.0.1 255.255.255.0
!
access-list OUTSIDE_IN extended permit tcp any host 204.0.0.11 eq www

icmp deny any OUTSIDE

global (OUTSIDE) 100 interface
global (OUTSIDE) 110 204.0.0.11

nat (INSIDE) 100 192.168.1.0 255.255.255.0
nat (DMZ) 110 192.168.0.0 255.255.255.0

static (DMZ,ISP) tcp 204.0.0.11 www 192.168.0.10 www netmask 255.255.255.255

access-group OUTSIDE_IN in interface ISP

route ISP 0.0.0.0 0.0.0.0 204.0.0.2 1

 

Please let me know what I need to configure to reach my goal.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to patelparth3

‎10-14-2019 02:14 PM

you just need to add "dns" to the end of the NAT statment.  If this doesnt work, you will need to explain more about your network, in particular where you have your DNS server.

static (DMZ,ISP) tcp 204.0.0.11 www 192.168.0.10 www netmask 255.255.255.255 dns

Would recommend upgrading your ASA software as the version you are running is end of support at the end of this month.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
patelparth3
Level 1
Level 1
In response to Marius Gunnerud

‎10-14-2019 02:59 PM - edited ‎10-14-2019 03:00 PM

-> My DNS server is outside of the network. I am using ISP's DNS server.

-> Do you I need to configure ACL from DMZ to INSIDE ?

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to patelparth3

‎10-14-2019 03:33 PM

No ACL is needed.
--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
patelparth3
Level 1
Level 1
In response to Marius Gunnerud

‎10-19-2019 03:59 PM

Do I need to enable DNS inspection on ASA. According to my network topology/scenario, I am not able to go to web server. Web server can be accessed from outside world but not from ASA's inside to DMZ.

 

Please help.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to patelparth3

‎10-19-2019 04:42 PM

No you do not need DNS inspection, besides DNS inspection should be enabled by default unless you have cleared all the config and configured from scratch.

most likely your DNS resolution on the inside network returns the public IP of your web server. If this is the case, then the solution provided in this post is the correct solution.  However, if you are restriction access with an ACL on the inside interface you need to allow traffic to the private IP of the web server.

 

A different option would be to configure twice NAT and NAT the destination public IP to the private IP of the web server.  Same as with using the DNS keyword, if you use an access list on the inside interface you will need to allow this traffic in that ACL also.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni

‎10-05-2019 12:35 AM

Hi,

This is not current configuration but it is required some extra configuration as Hairpin NAT or uses an internal DNS server to redirect your traffic to the web server using the internal IP address only.

 

DNS Setup Maybe likes:

DNS name: www.xyz.com  and Host IP: 192.168.0.X

DNS Name: xyz.com   and Host IP: 192.168.0.x

 

Hairpin Solution Maybe like:

https://networklessons.com/cisco/asa-firewall/cisco-asa-hairpin-internal-server

https://www.petenetlive.com/KB/Article/0000040

 

 

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card