access internal server through public URL via ASA5505 by internal users

Unanswered Question
Mar 20th, 2010

HI, I am replacing a linksys router with ASA5505

, and I am facing a problem, they dont have a DNS server, all dns directing to public

DNS server,

I have two PAT translations to access two internal serves from Internet.

I want to make internal users also be able to access the two URLs to access servers from internal network like public users from Internet.

Thanks and regards

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
asoka@people.net.au Sat, 03/20/2010 - 08:44

Thanks for your reply,

But I dont think that is a DNS issue, even with the "dns" keyword it does not work for me,

I think the way Linksys router handle port mapping is totaly different to ASA5505, in Linksys router, I have a public to private mapping (two port fowarding to two internal IP addresses) configured in Linksys router. And internal users can access these services using public IP addresses(dns is not the issue).

But if I sue PAT translation suing static (inside, outside) tcp cpmmnad in ASA5505, my internal users cant access the service using the public address.

any advice would be appreciated

Jennifer Halim Sat, 03/20/2010 - 17:05

They can not use the public ip address of the server for internal user. If they use the same URL from internally, it will resolve to the private ip address if the DNS request traverse through the firewall after configuring the "dns" keyword on your static statement.

So basically, internal user still uses the same URL (don't use ip address to access the server from internally), and from dns resolution, it will resolve to the internal ip address.

Example:

-Internal user to browse to "www.cisco.com", and external dns will resolve to 198.133.219.25.

-As the dns reply from external dns passes through the firewall, it will automatically change that public ip address to private ip address, eg: 10.1.1.1

-When internal user receive the dns reply, www.cisco.com = 10.1.1.1

Please also be advised that "inspect dns" needs to be enabled on the policy-map. If you run "show run policy-map", check if you have "inspect dns", if you don't, please add the line "inspect dns" within the policy-map. Thanks.

Jennifer Halim Sat, 03/20/2010 - 18:58

No, can't use ip address because that does not require dns resolution.

Can the user not use internal ip address of the server when they are connected internally? and use external ip address when they are external?

Otherwise I believe you can configure the following, but it can become ugly in terms of best practise configuration:

static (inside,inside) public_ip private_ip netmask 255.255.255.255

same-security-traffic permit intra-interface

Poonguzhali Sankar Sat, 03/20/2010 - 19:25

"dns" keyword will not work for static PAT. It will only work for static (1-1) nat.

With that said, how many people on the inside need to access these sites using their public address?

If it is just a handful then what you can do Asok, is add a hosts file in their computer winnt\system32\drives\etc and specify the internal IP address and the domain name so, when they type the domain name in the browser it will automatically resolve to the inside address.

Like halijenn says, it is not recommended practice.

-KS

asoka@people.net.au Sat, 03/20/2010 - 21:23

Hi, Thaks for taking much interest in this

static (inside,inside) public_ip private_ip netmask 255.255.255.255

would work wonderfully with NAt , but with PAT it is a problem, I dont know how simple Linksys router/modem do this kind of thing which ASA cannot handle

kusankar: can the hosts table handle PAT

Regards

Poonguzhali Sankar Sun, 03/21/2010 - 15:41

That U-Turn translation that Hillijen gave you would work but, that is not recommedned. That is not for PAT but called destination NAT. When the inside interface sees a packet destined to the public address specified it will U-Turn it off the inside interface and send it to the private IP address instead. You need to use that with the same security that was given in the previous posting.

The inside hosts should access the webservers using the inside (private) IP address and not the public address.  Since they get the name resolved to public address, I had suggested a hosts file.  The hosts file is just for name resolution. Where you would specifiy the inside IP address and the name for example:

192.168.1.2 abc.mycompany.com

-KS

asoka@people.net.au Sun, 03/21/2010 - 18:13

Thank you kusankar,

But, I don't think it will help with my simple Linksys router port

forwarding, I want to replace the following, without a internal DNS server

My internal users use this url from inside and outside, they use

http://198.133.219.25:8080 >> port forward to 192.168.1.170:80

http://198.133.219.25:8380 >> port forward to 192.168.1.172:80

These two addresses port forward to 2 different addresses.

If it is a single server U-turn works at IP level. I dint think host file

will help here in this situ.

Thanks and regards

Jennifer Halim Sun, 03/21/2010 - 20:35

In theory, you can configure U-turn traffic for port redirection as suggested earlier, but please kindly note that it is not a recommended solution, and not sure whether the U-turn port redirection would work.

This is how you would configure it:

static (inside,inside) tcp 198.133.219.25 8080 192.168.1.170 80

static (inside,inside) tcp 198.133.219.25 8380 192.168.1.172 80

Again, the above is not a recommended design.

http://198.133.219.25:8080/

asoka@people.net.au Mon, 03/22/2010 - 04:27

HI thanks for reply,

I tested U-turn will work Ok with Nat but with PAT it won't work.

May be now I have to give up and ask customer to setup a DNS server.

Regards

Actions

Login or Register to take actions

This Discussion

Posted March 20, 2010 at 3:07 AM
Stats:
Replies:11 Avg. Rating:
Views:1335 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446