I have an ASA 5510, and recently we had to move our web site to an external provider. However, portions of the web site still remain here on site. From outside, the web site operates fine, with the portions being hosted here as well as at the provider site acting as they should. However, when inside the network, the portions that are local do not ever connect and result in a 'site not found' error. This is because the external provider links to my portion using the public URL. I have temporarily solved this by placing a hosts file that give the call to the local portions the correct internal address as opposed to the public address, and that works OK.
Here's the deal, I'd like the ASA to intercept these requests and simply turn them around and send them back inside. Details are:
Local domain = domain1.com
Local Windows AD DNS, no authority for the domain2 DNS records
My portion of the web site has a URL of searchdomain1.com with a public address of 10.10.10.100 and a inside address if 192.168.1.10
Hosted domain = domain2.com
External DNS provider with authority for domain2, not domain1
URL for the main site portion is mysite.domain2.com with a public address of 10.100.10.100
Initially, I though a static NAT rule similar to:
static (inside,inside) 18.104.22.168 10.10.10.100
but no change. Then I thought perhaps with the dns keyword like:
static (inside,inside) 22.214.171.124 10.10.10.100 dns
You have to do DNS doctoring or Hair Pinning on your ASA to have the U-Turn of the traffic via the same interface..... The NAT and configuration parameters slightly changes based on the OS version which you use....
If you use 8.3+ OS which has new NAT syntax.
access-list outbound permit tcp <source lan> <web server public ip> eq www ( depends on your requirement)
nat (inside,outside) source static <Private IP Of web server> <public ip of web server> dns
Hairpinning is quite different from this.... DNS doctoring would do your requirement.
in older 7.2 version
global (inside) 1 interface
nat (inside) 1 <Local LAN Subnet>
!--- The NAT statement defines which traffic should be natted.
!--- The whole inside subnet in this case.
static (inside,outside) <public IP> <private ip> netmask 255.255.255.255
!--- Static NAT statement mapping the WWW server's real address to a public
!--- address on the outside interface.
static (inside,inside) <public IP> <private ip> netmask 255.255.255.255
In order to enable DNS inspection (if it has been previously disabled), perform these steps. In this example, DNS inspection is added to the default global inspection policy, which is applied globally by a service-policy command as though the ASA began with a default configuration. Refer to Using Modular Policy Framework for more information on service policies and inspection.
Create an inspection policy map for DNS.
ciscoasa(config)#policy-map type inspect dns MY_DNS_INSPECT_MAP
From the policy-map configuration mode, enter parameter configuration mode to specify parameters for the inspection engine.
In policy-map parameter configuration mode, specify the maxiumum message length for DNS messages to be 512.
ciscoasa(config-pmap-p)#message-length maximum 512
Exit out of policy-map parameter configuration mode and policy-map configuration mode.
You will also need to ensure that you have the following command enabled on the ASA
same-security-traffic permit intra-interface
Now having said all this, I still do not think it will work when accessing a webpage due to the asynchronous routing that will occur. This is because the web server will see the source address as an address on its own subnet and send traffic directly to the inside host instead of back through the ASA. The host will then send the next packet through the ASA firewall while the ASA will be expecting a different sequence number and think that the packet is spoofed and drop the packet. A way to get around this is to enable TCP bypass...but this is usually not a recommended solution as it can be a security risk.
As an alternative solution I suggest you create a second DNS entry that resolves to the internal IP of the server for the internal hosts to use.
Please remember to select a correct answer and rate helpful posts
Please remember to rate and select a correct answer
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...