ASA 5510 Loopback configuration

Answered Question

Not sure if loopback is right term but here's the scenario:


Small Business with a 5510. External domain name

is domain.com, internal AD domain is domain.local. Mail is hosted internally with webmail having an external DNS (public name) of mail.domain.com

When users on the outside hit mail.domain.com, it's statically set to an internal mail server and everything  works fine. When users are on the internal LAN or wireless, and they  put in mail.domain.com it times out instead of going out to grab the  external IP of the public DNS record and come back  in. Internally they can acces the mail server using the private IP or NetBios name of the email server.


I have searched online and found articles suggesting a split dns. Setting an entry for mail.domain.com to point to private address on our internal DNS server. I tried this but we also have a website www.domain.com that is hosted outside our network on our ISP's servers. With that DNS entry in place our in house staff can not access our company's website.


How can I configure the ASA so that the traffic flow back correctly?


Our setup includes:


Windows 2003 Standard SP2 DNS server

Windows 2008 Enterprise SP2 Exchange 2007

CISCO ASA 5510

CISCO 870 ROUTER

CISCO CATALYST 2960


I guess I should also mention that everything worked fine with just a simple home brand router (no asa and just an unmanaged switch). But obviously that equipment wasn't practical for our setup.

Correct Answer by mciszek about 7 years 1 month ago

Derrick,


On your internal DNS create a zone for your external DNS "domain.com" Then just add any entries that you would like internal users to access, with the appropriate IP addresses.  The only issue with this configuration is that if external records pointing to global IP addresses change you will have to manually make the change too.  i.e. www (if hosted externally and moves to new provider) This should not be a big deal!


Host entries would work too, but that's lame!


If you do not want to maintain a copy of your external DNS records on your internal DNS, I suggest you carefully read the blog entry from Collin Clark’s post. and setup Bidirectional NAT.

You may also need to setup U-Turn (Hairpinning)  same-security-traffic permit intra-interface depending on the placement of devices.

A diagram of your topology would be helpful!  ASA config too!  Be careful to sanitize it first! 

I really like just adding the External zone to internal DNS, your setup sounds a lot like many of my customers.  Keeping the ASA configuration simple might be a good idea unless your up for the challenge!  Remember you have to maintain this not me, nor anyone else!

Hope this helps,

Mike

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jennifer Halim Tue, 03/30/2010 - 17:59
User Badges:
  • Cisco Employee,

You can use the dns doctoring feature on the ASA.


On the static translation command for the mail server, just add the "dns" keyword at the end of the statement.


When internal user requests for dns resolution for the mail server from the external dns server, and the traffic goes through the ASA firewall, once the dns reply return back through the ASA, the ASA will modify the resolution from external ip address to its corresponding private ip address if the "dns" keyword is configured at the end of the mail server static translation.


Hope that helps.

Jennifer Halim Fri, 04/02/2010 - 15:04
User Badges:
  • Cisco Employee,

Sure, assuming that the following is the static statement for your webmail server:


static (inside,outside) public-ip private-ip netmask 255.255.255.255


You can remove the above and add the "dns" keyword as follows:


static (inside,outside) public-ip private-ip netmask 255.255.255.255 dns


Hope that helps.

Jennifer Halim Sat, 04/03/2010 - 15:13
User Badges:
  • Cisco Employee,

When the internal users try to access www.domain.com, does dns request go through the firewall? ie: are they using external dns server for dns resolution where the dns request and reply go through the firewall? If yes, then it should work.

If you are using internal dns server, or the dns request does not go through the firewall, then the "dns" keyword will not work.

Correct Answer
mciszek Sat, 04/03/2010 - 16:07
User Badges:

Derrick,


On your internal DNS create a zone for your external DNS "domain.com" Then just add any entries that you would like internal users to access, with the appropriate IP addresses.  The only issue with this configuration is that if external records pointing to global IP addresses change you will have to manually make the change too.  i.e. www (if hosted externally and moves to new provider) This should not be a big deal!


Host entries would work too, but that's lame!


If you do not want to maintain a copy of your external DNS records on your internal DNS, I suggest you carefully read the blog entry from Collin Clark’s post. and setup Bidirectional NAT.

You may also need to setup U-Turn (Hairpinning)  same-security-traffic permit intra-interface depending on the placement of devices.

A diagram of your topology would be helpful!  ASA config too!  Be careful to sanitize it first! 

I really like just adding the External zone to internal DNS, your setup sounds a lot like many of my customers.  Keeping the ASA configuration simple might be a good idea unless your up for the challenge!  Remember you have to maintain this not me, nor anyone else!

Hope this helps,

Mike

Mike,


Thanks for the response. I've tried setting up a domin.com zone on our internal DNS server. I'm able to access mail.domain.com internaly but not www.domain.com. I have an a record pointing www.domain.com to the public ip of the site but is there anything else I need to do to get this working? The way I setup the zone was by creating a new zone under "Forward Lookup Zones" the type of zone I used was "Primary zone". I attached what you requested with my reply. The zip file is password protected I will send you a private message with that password. Thanks again -Derrick

mciszek Tue, 04/06/2010 - 13:35
User Badges:

Derrick,


You could have done an "ipconfig /flushdns" on the workstations and ran the Mircosoft DNS management tool from a workstation or server, clicked on "View" then made sure the "Advanced" option was checked.  Under the Cached Entries find your domain and delete any entries that may be invalid.


Glad you made this work!


Thanks,

Mike

Actions

This Discussion

Related Content