08-01-2013 12:39 PM - edited 03-11-2019 07:20 PM
Hi there,
We are using an ASA5100 on 8.2(5). I'm trying to look at granting access to our internal webserver to those connected to our guest network using an external DNS server. I've enabled DNS inspection but can't seem to get the doctoring setup going for our device. We are using three of the four interfaces as follows:
outside interface (connected to our ISP with a public IP)
inside interface (172.20.1.2 connected to our 3750 Gig1/0/2 with IP 172.20.1.1)
guest_inet interface (10.2.1.1 connected to 3750 Gig2/0/2 tagged VLAN 999)
The 3750 device connects to our local 192.168.x.x network.
Wireless guests are in the 10.2.1.0/24 subnet and use an external DNS. External clients are able to resolve our web server to the public IP address 63.236.246.66 and NAT successfully directs them to the internal address 192.168.40.40.
I've enabled the DNS doctoring option on the static NAT entry on the inside interface but that didn't have an effect when running a dig hostname on a client connected to the guest subnet. Do I need to put in a different NAT entry on the guest_inet interface?
Thanks!
08-02-2013 12:38 AM
Did you add an ACL inbound on the Guest interface permitting 10.2.1.0/24 access to 192.168.40.40? Keep in mind that DNS doctoring substitutes the public IP of the server with the private IP so the host will be sending traffic to the private IP of the server.
08-02-2013 05:29 AM
Hi,
Make sure a host in the guest subnet can access the web server locally in the first place. This can be done by using Identity NAT from the guest_inet interface to the interface that subnet 192.168.40.0 is located. Once verified, you can then test the access using the web server's public address. I am not sure if you want to add an ACL or not and this depends on the security level of the guest subnet interface.
DNS Rewrite (or Doctoring) is working by replacing the web server's public IP with its private IP in the DNS reply using the information found in the static NAT command.
Regards,
AM
08-05-2013 10:01 AM
I've put in a rule to allow access. When running a packettrace command from the guest_inet interface with source 10.2.1.165 to 192.168.40.40 it displays the following with a packet dropped action:
nat (inside) 1 192.168.0.0 255.255.0.0
match ip inside 192.168.0.0 255.255.0.0 guest_inet any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
08-06-2013 12:08 AM
Could you please post the full output of the packet tracer including the command used.
Also include a full configuration of the ASA (change public IPs and any other sensitive information such as passwords and usernames if required)
08-08-2013 09:06 PM
Here is our config with some items masked / removed:
Result of the command: "sh run"
: Saved
:
ASA Version 8.2(5)
!
hostname GCS-FW-INTERNET
!
no names
name X.199 WiFi_Guest
name 192.168.48.55 GSSPRES01
dns-guard
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address X.6 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.20.1.2 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
nameif dmz
security-level 50
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/3
nameif guest_inet
security-level 10
ip address 10.2.1.1 255.255.255.0
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
!
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name glencoeschools.org
same-security-traffic permit intra-interface
!
!
access-list internet_in extended permit tcp any host X.65 eq www
access-list internet_in extended permit tcp any host X.66 eq www
access-list internet_in extended permit tcp any host X.69 eq www
access-list internet_in extended permit tcp any host X.70 eq www
access-list internet_in extended permit tcp any host X.71 eq www
access-list internet_in extended permit tcp any host X.72 eq www
access-list internet_in extended permit tcp any host X.73 eq www
access-list internet_in extended permit tcp any host X.74 eq www
access-list internet_in extended permit tcp any host X.75 eq www
access-list internet_in extended permit tcp any host X.76 eq www
access-list internet_in extended permit tcp any host X.76 eq https
access-list internet_in extended permit tcp any host X.80 eq www
access-list internet_in extended permit tcp any host X.81 eq www
access-list internet_in extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list internet_in extended permit ip 192.168.0.0 255.255.0.0 172.20.1.0 255.255.255.0
access-list internet_in extended permit ip 172.16.48.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list internet_in extended permit ip 172.16.48.0 255.255.255.240 192.168.0.0 255.255.0.0
access-list internet_in extended permit ip host X.145 192.168.0.0 255.255.0.0
access-list internet_in extended permit tcp 10.2.1.0 255.255.255.0 any eq domain inactive
access-list internet_in extended permit tcp any 10.2.1.0 255.255.255.0 eq domain inactive
access-list internet_in extended permit icmp any any inactive
access-list internet_in extended permit ip host X.210 192.168.0.0 255.255.0.0
access-list internet_in extended permit ip host X.9 192.168.0.0 255.255.0.0
access-list internet_in extended permit ip 172.16.56.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list internet_in extended permit ip host X.218 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip any 172.20.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 172.16.40.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 172.16.48.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 172.16.56.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 X.144 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 host X.156
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 172.20.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 host X.145
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 host X.210
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 host X.249
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 host X.218
access-list outside_cryptomap extended permit ip any 172.20.1.0 255.255.255.0
access-list outside_access_out extended deny tcp any any eq 82
access-list outside_access_out extended permit ip any any
access-list Glencoe standard permit 192.168.0.0 255.255.0.0
access-list guest_inet_access_in extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging buffer-size 1040000
logging monitor debugging
logging buffered debugging
logging asdm notifications
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu guest_inet 1500
mtu management 1500
ip local pool VPN_Pool 172.20.1.10-172.20.1.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-649-103.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.16.0.0 255.255.0.0
nat (inside) 1 192.168.0.0 255.255.0.0
nat (guest_inet) 1 10.2.1.0 255.255.255.0
static (inside,outside) tcp X.65 www 192.168.40.36 www netmask 255.255.255.255
static (inside,outside) tcp 6.78 https 192.168.40.8 https netmask 255.255.255.255
static (inside,outside) X.66 192.168.40.40 netmask 255.255.255.255
static (inside,outside) X.73 192.168.40.44 netmask 255.255.255.255
static (inside,outside) X.74 192.168.40.46 netmask 255.255.255.255
static (inside,outside) X.76 192.168.40.38 netmask 255.255.255.255
static (inside,outside) X.71 192.168.40.42 netmask 255.255.255.255
static (inside,outside) X.70 192.168.40.41 netmask 255.255.255.255
static (inside,outside) X.72 192.168.40.43 netmask 255.255.255.255 dns
access-group internet_in in interface outside
access-group outside_access_out out interface outside
access-group guest_inet_access_in in interface guest_inet
!
router eigrp 7159
no auto-summary
network X.144 255.255.255.240
network 172.20.1.0 255.255.255.0
network 192.168.40.0 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 X.145 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.40.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
snmp-server host inside 192.168.40.200 community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
!
!
!
class-map inspection_default
!
!
policy-map global_policy
class inspection_default
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:8ef56df1de9dd36f9dcff934d746ff65
: end
Packet Tracer is:
GCS-FW-INTERNET# packet-tracer input guest_inet tcp 10.2.1.90 1069 192.168.40.40 http
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.40.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group guest_inet_access_in in interface guest_inet
access-list guest_inet_access_in extended permit ip any any
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (guest_inet) 1 10.2.1.0 255.255.255.0
match ip guest_inet 10.2.1.0 255.255.255.0 outside any
dynamic translation to pool 1 (X.146 [Interface PAT])
translate_hits = 70348, untranslate_hits = 3530
Additional Information:
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 1 192.168.0.0 255.255.0.0
match ip inside 192.168.0.0 255.255.0.0 guest_inet any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Result:
input-interface: guest_inet
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Since it is a long post: I'm trying to have a device on our guest wireless subnet (10.2.1.0/24) access one of our webservers at 192.168.40.40 I'm pretty confidant once the syntax is setup for allowing this one host I can change it to match the others.
Thanks everyone for the info so far!
08-08-2013 11:55 PM
First off the NAT statement for 192.168.40.40 is not configured for DNS doctoring. Add the dns keyword at the end of the statement.
static (inside,outside) X.66 192.168.40.40 netmask 255.255.255.255
08-09-2013 12:10 PM
I added the dns statement to the NAT line (sorry about grabbing the old config without it in place) and still have the same issue. When I run a nslooklup or dig on host I still receive the public IP address.
08-09-2013 03:34 PM
Hmmm, that is odd.
Well to get this working you could nat the from the guest interface to the inside interface...it is not DNS doctoring but it should also work.
static (guest_inet,inside) X.73 192.168.40.44 netmask 255.255.255.255
08-10-2013 11:25 AM
Hi,
I can't see the DNS inspection enabled in the "global_policy" policy map. You must activate DNS inspection prior configuring DNS doctoring. Please use the following:
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
Regards,
AM
08-14-2013 07:19 PM
After some time on the phone with TAC we found the following:
Even through the DNS doctoring configuration was set, it was not being honored. We added the guest_inet subnet to the outside NAT pool:
nat (guest_inet) 1 10.2.1.0 255.255.255.0 outside
Created static NAT entries for each server using:
static (inside,guest_inet) PUBLIC_IP PRIVATE_IP netmask 255.255.255.255
Once that was done all was good.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: