Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Firewall Issue LYNC

Hi,

I am facing problem with my firewall dont know this is related to DNS or Hairpining etc.

Iphone on my Internal Wireless network is not able to register with Microsoft LYNC Server.

iPhone needs to access the URL which resolve Public IP (194.x.x.115) (lyncdiscover.abc.com) located on inside and then one more LYNC EDGE Server public IP address which is on my DMZ segment.

LYNC Discover: 194.x.x.115

Private :  192.168.0.115

LYNC EDGE: 194.x.x.224

Private:  172.16.11.224

Client IP:  192.168.51.45

Firewall configuration

static (inside,outside) 194.x.x.115 192.168.0.115 netmask 255.255.255.255 dns

static (serverdmz,outside) 194.x.x.224 172.16.11.224 netmask 255.255.255.255

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 194.x.x.66 netmask 255.255.255.255

global (serverdmz) 1 172.16.11.254

I can see the hits on my firewall inside

99759 192.168.51.45.54923 > 194.x.x.115.443: S 2834413288:2834413288(0) win 65535 <mss 1460,nop,wscale 4,nop,nop,timestamp 750068408 0,sackOK,eol>

2: 18:38:32.441719 192.168.51.45.54923 > 194.x.x.115.443: S 2834413288:2834413288(0) win 65535 <mss 1460,nop,wscale 4,nop,nop,timestamp

I think firewall is not allowing Internal client IP address to access the Servers on Public IP address.

External Clients from Internet are able to connect without any issue. Only Internal Clients are not able to connect. Smart phone cannot connect with LYNC through the Internal Private IP addresses. So we have to configure it for the Public IP addresses.

Please assit me how to configure firewall in order to give Internal Client to connect with Firewall Public Public IP addresses.

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: Firewall Issue LYNC

Hi Bro

Is everything OK now?

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
13 REPLIES

Firewall Issue LYNC

Hello,

So internal Iphone users needs to be able to connect to the 194.x.x.115 that belongs to an internal server.

global (inside) 1 interface

static (inside,inside)  194.x.x.115 192.168.0.115

same-security-traffic permit intra-interface

Regards,

Julio

CSC is a free support community, please rate all the helfpul posts.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Firewall Issue LYNC

Hi,

Yes Internal Phones should connect with Public IP address.

What should I do the get connectivity with the DMZ Server on the Public IP address.

Do I need to keep the below command as well.

static (inside,outside) 194.x.x.115 192.168.0.115 netmask 255.255.255.255 dns

Do I need to add more configuration for the Public LYNC Server (194.x.x.224) as well.

Please assist.

Firewall Issue LYNC

Hello,

You need to keep that command so outside users can acces that server.

CSC is a free support community, please rate all the helfpul posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: Firewall Issue LYNC

Hi

Please let me know what config require in order to access the DMZ servers on Public ip address from the internal clients.

Sent from Cisco Technical Support iPhone App

Re: Firewall Issue LYNC

Ok so now internal users can access the server using the Public IP address. That is good!

Now let's make the second one happen:

static (inside,dmz)  194.x.x.115 192.168.0.115

access-list dmz permit ip any any

access-group dmz in interface dmz

Regards,

Rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: Firewall Issue LYNC

Hi,

I want to acess the DMZ Servers Public IP address from the inside network.

DMZ Private IP address is 172.16.11.224

DMZ Public IP address is 194.x.x.224

Wheneer client from the Internal LAN  request for LYNCEDGE.ABC.COM (194.x.x.224). They should access DMZ servers on Public IP address.

Please assist

Re: Firewall Issue LYNC

Hi Bro

What you need to enable is DNS Doctoring in your Cisco ASA Firewall. This will resolve your issue of accesing servers that are internal to your network via Public IP Address. I'm assuming everything else is good e.g. ACL, NAT etc.

Please kindly refer to this URL for further details. http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

P/S: If you think this comment was helpful, please do rate them nicely :-)

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
New Member

Re: Firewall Issue LYNC

Hi,

thanks for the reply, I will apply the below configuration.


access-list acl-serverdmz extended permit tcp host 172.16.11.224 any range 50000 59999
access-list acl-serverdmz extended permit udp host 172.16.11.224 any range 50000 59999
access-list acl-serverdmz extended permit udp host 172.16.11.224 any eq 3478
access-list acl-serverdmz extended permit tcp host 172.16.11.224 any eq https
access-list acl-serverdmz extended permit tcp host 172.16.11.224 any eq 5061
access-list acl-serverdmz extended permit udp host 172.16.11.224 any eq domain
access-list acl-serverdmz extended permit tcp host 172.16.11.224 any eq www


access-list acl-out extended permit tcp any host 194.x.x.224 range 50000 59999
access-list acl-out extended permit udp any host 194.x.x.224 range 50000 59999
access-list acl-out extended permit udp any host 194.x.x.224 eq 3478
access-list acl-out extended permit tcp any host 194.x.x.224 eq https
access-list acl-out extended permit tcp any host 194.x.x.224 eq 5061

access-list acl-in extended permit ip host 192.168.51.45 any


nat (inside) 6 access-list aclnat_serverdmz

nat (inside) 1 0.0.0.0 0.0.0.0

nat (serverdmz) 1 172.16.11.0 255.255.255.0

global (outside) 1 194.x.x.66 netmask 255.255.255.255

global (inside) 1 interface

global (serverdmz) 1 172.16.11.254

global (serverdmz) 6 interface

I want my internal client 192.168.51.45 can access the DMZ servers on the Public IP addresses.

Let me know if I am missing something.

Re: Firewall Issue LYNC

Hi Bro

I don't see any DNS Doctoring statements in there.

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
New Member

Re: Firewall Issue LYNC

Hi,

Sorry I m missed the command.

static (serverdmz,outside) 194.x.x.224 172.16.11.224 netmask 255.255.255.255 dns

Re: Firewall Issue LYNC

Hi Bro

Is everything OK now?

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
New Member

Re: Firewall Issue LYNC

Hi

I will try tomorrow and let u know the status.

Sent from Cisco Technical Support iPhone App

New Member

Re: Firewall Issue LYNC

It is working thanks

Sent from Cisco Technical Support iPhone App

4988
Views
3
Helpful
13
Replies
CreatePlease to create content