Unable to browse internal server

Unanswered Question
Apr 9th, 2008

Hi,

After installing ASA 5505 at our client's site, they are not able to browse their internal server using url now. But they can access it using servername and ip address. I've already enabled port 53 to outside port as the DNS server is outside the network.

Hope you can help me resolve this issue.

Thanks,

Patricia

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Wed, 04/09/2008 - 12:22

When you say they can access it with ip, do you mean the internal ip?

The problem most likely is that the url is resolving to the public ip address which is not reachable from inside the ASA.

You have a few options to fix this. One is to edit the clients hosts file so the url resolves to the inside ip. Second is to use dns doctoring on the ASA to change the response from the dns server from public ip to private. Third is using hairpinning on the inside interface of the ASA.

DNS Doctoring -

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

Hairpinning -

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#solution2

patricia20 Wed, 04/09/2008 - 12:48

Yes, it's internal ip.

I'll review the links that you've sent. Thanks for your immediate reply. :)

patricia20 Wed, 04/09/2008 - 13:29

There is a note in DNS doctoring that "DNS rewrite is not compatible with static Port Address Translation (PAT) because multiple PAT rules are applicable for each A-record, and the PAT rule to use is ambiguous."

If I'm using PAT, should you recommend hairpinning instead of DNS doctoring?

Thanks!

acomiskey Thu, 04/10/2008 - 05:42

Yes. That will work fine. Would look something like...

same-security-traffic permit intra-interface

static (inside,inside) netmask 255.255.255.255

global (inside) 1 interface

nat (inside) 1 0 0

Actions

This Discussion