Strange issue with FWSM

Garrison Botts · ‎05-28-2014

I have a customer that is using FWSMs. There are 4 interfaces (inside 100 , outside 0 , dmz 50 , wireless 4 ).

So to give an example:

1) I connect to the wireless and get an address of 192.168.1.x. My DNS server is on the dmz and I can resolve addresses and surf the internet.

2) I want to get to a server owned by the customer so I type http://webapps.customer.com

3) The DNS gives the external address and the attempt is made.

4) I time out....

If I connect via an external source (like an iPhone using ATT network) I connect with no problem... I get the same external address.

Thoughts to look at? I've double checked everything and so far cannot find a good answer...

Dru Goradia · ‎05-28-2014

Can we see the access-lists?

Sounds like DNS doctoring is what you're looking for: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/71704-dns-doctoring-2zones.html

Marius Gunnerud · ‎05-29-2014

I am assuming that 20x.xxx.xx.76 is the webserver IP?

And if you do an nslookup for webapps.customer.com you get that same public IP?

If that is the case, then that is the problem. You would need to do either DNS doctoring or add another NAT statement.

DNS doctoring is done by just adding the keyword DNS to the end of the relevant NAT statement:

static (web_dmz,OUTSIDE) 20X.XXX.XX.76 172.16.XXX.76 netmask 255.255.255.255 dns

the other option would be to translate the public IP which is ingress on the inside interface to the private IP which is egress on the DMZ interface. Something like the following:

static (inside,web_dmz) 172.16.XXX.76 20X.XXX.XX.76 netmask 255.255.255.255

I suggest trying the dns doctoring option first and then try the second option if it doesn't work.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts