Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

access internal server through public URL via ASA5505 by internal users

HI, I am replacing a linksys router with ASA5505

, and I am facing a problem, they dont have a DNS server, all dns directing to public

DNS server,

I have two PAT translations to access two internal serves from Internet.

I want to make internal users also be able to access the two URLs to access servers from internal network like public users from Internet.

Thanks and regards

11 REPLIES
Cisco Employee

Re: access internal server through public URL via ASA5505 by int

You can configure dns doctoring if internal users use external dns server for dns resolution.

On the static translation statement for your servers, add the keyword "dns" at the end of the statement.

Here is the sample configuration for your reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

New Member

Re: access internal server through public URL via ASA5505 by int

Thanks for your reply,

But I dont think that is a DNS issue, even with the "dns" keyword it does not work for me,

I think the way Linksys router handle port mapping is totaly different to ASA5505, in Linksys router, I have a public to private mapping (two port fowarding to two internal IP addresses) configured in Linksys router. And internal users can access these services using public IP addresses(dns is not the issue).

But if I sue PAT translation suing static (inside, outside) tcp cpmmnad in ASA5505, my internal users cant access the service using the public address.

any advice would be appreciated

Cisco Employee

Re: access internal server through public URL via ASA5505 by int

They can not use the public ip address of the server for internal user. If they use the same URL from internally, it will resolve to the private ip address if the DNS request traverse through the firewall after configuring the "dns" keyword on your static statement.

So basically, internal user still uses the same URL (don't use ip address to access the server from internally), and from dns resolution, it will resolve to the internal ip address.

Example:

-Internal user to browse to "www.cisco.com", and external dns will resolve to 198.133.219.25.

-As the dns reply from external dns passes through the firewall, it will automatically change that public ip address to private ip address, eg: 10.1.1.1

-When internal user receive the dns reply, www.cisco.com = 10.1.1.1

Please also be advised that "inspect dns" needs to be enabled on the policy-map. If you run "show run policy-map", check if you have "inspect dns", if you don't, please add the line "inspect dns" within the policy-map. Thanks.

New Member

Re: access internal server through public URL via ASA5505 by int

Thanks Halijenn:

That will help in a general situation like, u have dns entry in DNS servers(public).

But this customer is a very small one, but stated to build his network, What if they use the public IP address in the URL

like

http://198.133.219.25:8080

http://198.133.219.25:8380

that will help with 'dns' keword at  the end isnt it

Advice will be appreciated

Cisco Employee

Re: access internal server through public URL via ASA5505 by int

No, can't use ip address because that does not require dns resolution.

Can the user not use internal ip address of the server when they are connected internally? and use external ip address when they are external?

Otherwise I believe you can configure the following, but it can become ugly in terms of best practise configuration:

static (inside,inside) public_ip private_ip netmask 255.255.255.255

same-security-traffic permit intra-interface

Cisco Employee

Re: access internal server through public URL via ASA5505 by int

"dns" keyword will not work for static PAT. It will only work for static (1-1) nat.

With that said, how many people on the inside need to access these sites using their public address?

If it is just a handful then what you can do Asok, is add a hosts file in their computer winnt\system32\drives\etc and specify the internal IP address and the domain name so, when they type the domain name in the browser it will automatically resolve to the inside address.

Like halijenn says, it is not recommended practice.

-KS

New Member

Re: access internal server through public URL via ASA5505 by int

Hi, Thaks for taking much interest in this

static (inside,inside) public_ip private_ip netmask 255.255.255.255

would work wonderfully with NAt , but with PAT it is a problem, I dont know how simple Linksys router/modem do this kind of thing which ASA cannot handle

kusankar: can the hosts table handle PAT

Regards

Cisco Employee

Re: access internal server through public URL via ASA5505 by int

That U-Turn translation that Hillijen gave you would work but, that is not recommedned. That is not for PAT but called destination NAT. When the inside interface sees a packet destined to the public address specified it will U-Turn it off the inside interface and send it to the private IP address instead. You need to use that with the same security that was given in the previous posting.

The inside hosts should access the webservers using the inside (private) IP address and not the public address.  Since they get the name resolved to public address, I had suggested a hosts file.  The hosts file is just for name resolution. Where you would specifiy the inside IP address and the name for example:

192.168.1.2 abc.mycompany.com

-KS

New Member

Re: access internal server through public URL via ASA5505 by int

Thank you kusankar,

But, I don't think it will help with my simple Linksys router port

forwarding, I want to replace the following, without a internal DNS server

My internal users use this url from inside and outside, they use

http://198.133.219.25:8080 >> port forward to 192.168.1.170:80

http://198.133.219.25:8380 >> port forward to 192.168.1.172:80

These two addresses port forward to 2 different addresses.

If it is a single server U-turn works at IP level. I dint think host file

will help here in this situ.

Thanks and regards

Cisco Employee

Re: access internal server through public URL via ASA5505 by int

In theory, you can configure U-turn traffic for port redirection as suggested earlier, but please kindly note that it is not a recommended solution, and not sure whether the U-turn port redirection would work.

This is how you would configure it:

static (inside,inside) tcp 198.133.219.25 8080 192.168.1.170 80

static (inside,inside) tcp 198.133.219.25 8380 192.168.1.172 80

Again, the above is not a recommended design.

http://198.133.219.25:8080/

New Member

Re: access internal server through public URL via ASA5505 by int

HI thanks for reply,

I tested U-turn will work Ok with Nat but with PAT it won't work.

May be now I have to give up and ask customer to setup a DNS server.

Regards

1771
Views
0
Helpful
11
Replies
CreatePlease login to create content