Mobile devices accessing a single URL from internal office
I am working with a client who has two Windows servers:
Server 1 is a SBS 2011 standard server (192.168.1.5)
Server 2 is a Windows 2008 R2 server (192.168.1.9)
Naturally both servers have a fixed IP address. Additionally the internet provider they use assigned a fixed IP address (I'm using 126.96.36.199 in this post instead of the real internet IP). The ASA 5505 IP address is 192.168.1.15.
I am setting up a ASA 5505 with Security Plus license with unlimited users. I have all of the SBS functionality working (i.e. internal / external email, wireless device support, Remote Access, etc.)
They are currently using two Netgear (home) routers for their internal and external wireless access. I want to replace both Netgear routers with the ASA 5505 (in router mode) due to the fact that the ASA 5505 will isolate and insulate their business much more than any home wireless router. Again, I have all the SBS 2011 features working as well as the wireless APs.
The client is a law firm and they use a software package called Winscribe that allows them to use their iPhones as dictation devices, both in the office and out of the office. And this is where I'm running into problems. Because the Winscribe software can be used externally and internally, the software "points" to a specific port on the domain URL of the law firm. And to further complicate matters, the external port is redirected to the default port 80 on Server 2 (see attached file). As you can see from the image, in Netgear terms the external port 8081 on the outside interface is redirected to port 80 on server 2. I setup (what I thought would work) but I'm having several issues:
For whatever reason, the software (see Winscribe_screen_on_server.docx) is accessible (on server 1) only but if I click any of the options on the screen IE returns a "Page not available" message. Even more strange is the fact that I go to a workstation and type in the http://188.8.131.52/winscribe/setup" path IE also displays a "Page not available" message.
So hopefully some folks out there in the community have had a similar experience and can help me get this resolved.
Here's what I think are the relevant parts of my ASA 5505 configuration:
object-group service INBOUND service-object tcp destination eq smtp service-object tcp destination eq www service-object tcp destination eq 3389 service-object tcp destination eq 987 service-object tcp destination eq https access-list OUTSIDE_ACCESS_IN extended permit object-group INBOUND any object OBJ_HLBSVR1 access-list OUTSIDE_ACCESS_IN permit tcp any host 192.168.1.9 eq www access-list OUTSIDE_ACCESS_IN extended deny ip any any log access-group OUTSIDE_ACCESS_IN in interface outside
When I did this and type in the http:://184.108.40.206:8081/winscribe/setup address in IE (on server 192.168.1.5), I did get the Winscribe page attached to my earlier entry. However, if I go to a workstation and type http:://220.127.116.11:8081/winscribe/setup in IE, I get the "Page not available" message.
So I guess my confusion could probably be summarized as follows:
why I could only get to that page when I was on the 1.5 server and not the workstations
what needs to happen to allow that 18.104.22.168 outside IP to be allowed to internal clients. I'm thinking the Netgear router was letting all the 22.214.171.124 traffic whereas the ASA 5505 isn't. It's an odd setup (in my opinion) to have your mobile devices always use the outside IP within the building. My understanding is that it was setup that way so the iPhones/iPads would work outside of the office. So in essence, they're basically using the away-from-office setup for both internal and external software functionality.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...