Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
536
Views
0
Helpful
6
Replies

why can not browse web site which DNS server placed in outside

martlee2
Cisco Employee
Cisco Employee

‎05-28-2015 10:27 AM - last edited on ‎03-25-2019 05:56 PM by Community Manager

i change to place DNS server which is the same VM of web server in outside of ASA

and expect to browse web site from inside, but failed 

 

https://drive.google.com/file/d/0Bxs_ao6uuBDUUFFRNlpETTR1dGs/view?usp=sharing

https://drive.google.com/file/d/0Bxs_ao6uuBDUOXlVa3lMbC1UcUk/view?usp=sharing

 

ubuntu--192.168.1.2--Switch1 192.168.1.254--inside--192.168.1.7ASA115.0.0.15--outside--115.0.0.16 Router 10.0.0.1--10.0.0.7 web site 

DNS 10.0.0.23

ASA

conf t
interface GigabitEthernet0
description INSIDE
nameif inside
security-level 100
ip address 192.168.1.7 255.255.255.0
no shutdown
end
conf t
interface GigabitEthernet1
description OUTSIDE
nameif outside
security-level 0
ip address 115.0.0.15 255.0.0.0
no shut
access-list acl_outside_new extended permit tcp any any eq www 
access-group acl_outside_new in interface outside
end
conf t
object network Web_INSIDE
host 192.168.1.254
nat (inside,outside) static interface service tcp 80 80
end
conf t
object network DNS_INSIDE
host 192.168.1.254
nat (inside,outside) static 10.0.0.23 dns
end
conf t
route outside 0.0.0.0 0.0.0.0 115.0.0.16 1
end

3725 Switch1
conf t
hostname Switch1
vlan 5
int vlan 5
ip address 192.168.1.254 255.255.255.0
end
conf t
int fa1/1
switchport
switchport access vlan 5
switchport mode access
shut
no shut
int fa1/2
switchport
switchport access vlan 5
switchport mode access
shut
no shut
int fa1/3
switchport
switchport access vlan 5
switchport mode access
shut
no shut
end

Router1conf t
hostname Router1
ip routing
int fa0/0
ip address 115.0.0.16 255.0.0.0
shut
no shut
int fa0/1
ip address 10.0.0.1 255.0.0.0
shut
no shut
end
conf t
router eigrp 1
network 115.0.0.0 255.0.0.0
network 10.0.0.0 255.0.0.0
end

verify:
packet-tracer input outside tcp 115.0.0.16 80 192.168.1.2 80 detailed
packet-tracer input inside tcp 192.168.1.2 80 115.0.0.16 80 detailed

packet-tracer input outside tcp 10.0.0.23 80 192.168.1.2 80 detailed
packet-tracer input inside tcp 192.168.1.2 80 10.0.0.23 80 detailed

Labels:
0 Helpful
6 Replies 6

andre.ortega
Spotlight
Spotlight

‎05-28-2015 01:56 PM

Hi martlee2,

You should put that ACL (acl_outside_new)  on interface inside.

Also, I am not sure about what you are doing with these NATs.

If you want just to access the web server on outside, from inside, you may use something like this:

object network nat-MyLAN

 subnet 192.168.1.7 255.255.255.0
 nat (inside,outside) dynamic interface

 

Regards.

0 Helpful

martlee2
Cisco Employee
Cisco Employee
In response to andre.ortega

‎05-28-2015 05:10 PM

i have applied acl_outside_new on interface inside, but can not access the web server outside

not only access the web server, expect to access all kind of web in outside.

 

i change to use dynamic NAT with overload, still can not access the web outside from inside

 

after change:

 

conf t
interface GigabitEthernet0
description INSIDE
nameif inside
security-level 100
ip address 192.168.1.7 255.255.255.0
no shutdown
end
conf t
interface GigabitEthernet1
description OUTSIDE
nameif outside
security-level 0
ip address 115.0.0.15 255.0.0.0
no shut
access-list acl_outside_new extended permit tcp any any eq www 
access-group acl_outside_new in interface inside
end
conf t
object network Web_INSIDE
host 192.168.1.254
nat (inside,outside) static interface service tcp 80 80
end
conf t
object network DNS_INSIDE
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface
end
conf t
route outside 0.0.0.0 0.0.0.0 115.0.0.16 1
end
conf t
http server enable
http 192.168.1.7 255.255.255.0 inside
end

0 Helpful

andre.ortega
Spotlight
Spotlight
In response to martlee2

‎05-29-2015 05:29 AM

Please,

try to remove the NAT config from objetc Web_INSIDE.

0 Helpful

martlee2
Cisco Employee
Cisco Employee
In response to andre.ortega

‎05-29-2015 11:59 AM

https://drive.google.com/file/d/0Bxs_ao6uuBDUQVdFZ1VzeVJYXzg/view?usp=sharing

 

conf t
object network WEB_INSIDE
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface
end

 

a. if only have dynamic interface, i can see the web with 10.0.0.7/index.html

but after add static route for dns , it can not see www.xxx.com and can not see 10.0.0.7/index.html

b. second thing i do not understand is that why ubuntu need to add static route, when i ping outside router, it return no route, why

it can not use default route to find the way? if i use NAT, it can go to real world internet without  return no route for every site. why simulation need to add static route?

sudo route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.1.254 dev eth0
sudo route add -net 115.0.0.0 netmask 255.0.0.0 gw 192.168.1.254 dev eth0

 

then i change 192.168.1.2 to 192.168.1.254 which is the device directly connected to ASA, it can 

it can see 10.0.0.7/index.html now but can not see  www.xxx.com and

conf t
object network DNS_INSIDE
host 192.168.1.2
nat (inside,outside) static 10.0.0.23 dns
end

to

conf t
object network DNS_INSIDE
host 192.168.1.254
nat (inside,outside) static 10.0.0.23 dns
end

 

 

ubuntu--192.168.1.2--Switch1 192.168.1.254--inside--192.168.1.7ASA115.0.0.15--outside--115.0.0.16 Router 10.0.0.1--10.0.0.7 web & DNS site (same VM)

DNS 10.0.0.23

sudo route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.1.254 dev eth0
sudo route add -net 115.0.0.0 netmask 255.0.0.0 gw 192.168.1.254 dev eth0

ASA

conf t
interface GigabitEthernet0
description INSIDE
nameif inside
security-level 100
ip address 192.168.1.7 255.255.255.0
no shutdown
end
conf t
interface GigabitEthernet1
description OUTSIDE
nameif outside
security-level 0
ip address 115.0.0.15 255.0.0.0
no shut
access-list acl_outside_new extended permit tcp any any eq www 
access-group acl_outside_new in interface outside
end
conf t
object network WEB_INSIDE
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface
end
conf t
object network DNS_INSIDE
host 192.168.1.2
nat (inside,outside) static 10.0.0.23 dns
end
conf t
route outside 0.0.0.0 0.0.0.0 115.0.0.16 1
router eigrp 1
network 115.0.0.0 255.0.0.0
network 192.168.1.0 255.255.255.0
network 10.0.0.0 255.0.0.0
end

3725 Switch1
conf t
hostname Switch1
vlan 5
int vlan 5
ip address 192.168.1.254 255.255.255.0
end
conf t
int fa1/1
switchport
switchport access vlan 5
switchport mode access
shut
no shut
int fa1/2
switchport
switchport access vlan 5
switchport mode access
shut
no shut
int fa1/3
switchport
switchport access vlan 5
switchport mode access
shut
no shut
end
conf t
line vty 0 4
password cisco
login
end
conf t
ip route 10.0.0.0 255.0.0.0 192.168.1.7
ip route 115.0.0.0 255.0.0.0 192.168.1.7
end

Router1
conf t
hostname Router1
ip routing
int fa0/0
ip address 115.0.0.16 255.0.0.0
shut
no shut
int fa0/1
ip address 10.0.0.1 255.0.0.0
shut
no shut
end
conf t
router eigrp 1
network 115.0.0.0 255.0.0.0
network 10.0.0.0 255.0.0.0
end
conf t
no ip name-server 10.0.0.7
ip name-server 10.0.0.23
end
conf t
line vty 0 4
password cisco
login
end

0 Helpful

martlee2
Cisco Employee
Cisco Employee
In response to martlee2

‎05-29-2015 12:32 PM

https://drive.google.com/file/d/0Bxs_ao6uuBDUX0c4aTM1M2lqc2s/view?usp=sharing

 

actually no need 

conf t
object network DNS_INSIDE
host 192.168.1.254
nat (inside,outside) static 10.0.0.23 dns
end

 

after using this static NAT, this will influence other connection such as telnet connection from inside to outside router

 

my lab notes want to demonstrate web server inside and DNS server outside, 

but i am confused by its virtual ip 10.0.0.23 which is not using by any ports.

 

finally i use back the static ip address which is using by DNS server instead of virtual ip. i succeed to browse the web.

0 Helpful

martlee2
Cisco Employee
Cisco Employee
In response to martlee2

‎05-29-2015 03:49 PM

now i try to

follow the idea of web site inside and DNS outside and let ubuntu browse the web from inside

but failed.
 
as i tried before , that dns static NAT will influence dynamic interface , i guess that no one in DMZ will browse real internet from inside to outside, i do not add dynamic interface to mix with static NAT
 
however, only static NAT dns, still failed, why?
 
 
 
 
             web site 192.168.1.120
                       |
ubuntu--192.168.1.2--Switch1 192.168.1.254--inside--192.168.1.7ASA10.0.0.9--outside--10.0.0.7 DNS site 
 
DNS 10.0.0.23
 
sudo route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.1.254 dev eth0
sudo route add -net 115.0.0.0 netmask 255.0.0.0 gw 192.168.1.254 dev eth0
 
ASA
 
conf t
interface GigabitEthernet0
description INSIDE
nameif inside
security-level 50
ip address 192.168.1.7 255.255.255.0
no shutdown
end
conf t
interface GigabitEthernet1
description OUTSIDE
nameif outside
security-level 0
ip address 10.0.0.9 255.0.0.0
no shut
access-list acl_outside_new extended permit tcp any any eq www 
access-group acl_outside_new in interface inside
end
conf t
object network DNS_INSIDE
host 192.168.1.254
nat (inside,outside) static 10.0.0.23 dns
end
conf t
route outside 0.0.0.0 0.0.0.0 10.0.0.7 1
router eigrp 1
 
network 192.168.1.0 255.255.255.0
network 10.0.0.0 255.0.0.0
end
 
 
 
3725 Switch1
conf t
hostname Switch1
vlan 5
int vlan 5
ip address 192.168.1.254 255.255.255.0
end
conf t
int fa1/1
switchport
switchport access vlan 5
switchport mode access
shut
no shut
int fa1/2
switchport
switchport access vlan 5
switchport mode access
shut
no shut
int fa1/3
switchport
switchport access vlan 5
switchport mode access
shut
no shut
end
conf t
line vty 0 4
password cisco
login
end
conf t
ip route 10.0.0.0 255.0.0.0 192.168.1.7
ip route 115.0.0.0 255.0.0.0 192.168.1.7
end
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card