Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2016
Views
0
Helpful
2
Replies

Mobile devices accessing a single URL from internal office

Clint Lambert
Level 1
Level 1

‎09-12-2014 09:05 AM - edited ‎03-11-2019 09:45 PM

I am working with a client who has two Windows servers:

  1. Server 1 is a SBS 2011 standard server (192.168.1.5)
  2. Server 2 is a Windows 2008 R2 server (192.168.1.9)

Naturally both servers have a fixed IP address.  Additionally the internet provider they use assigned a fixed IP address (I'm using 99.199.99.199 in this post instead of the real internet IP).  The ASA 5505 IP address is 192.168.1.15.

I am setting up a ASA 5505 with Security Plus license with unlimited users.  I have all of the SBS functionality working (i.e. internal / external email, wireless device support, Remote Access, etc.)

They are currently using two Netgear (home) routers for their internal and external wireless access.  I want to replace both Netgear routers with the ASA 5505 (in router mode) due to the fact that the ASA 5505 will isolate and insulate their business much more than any home wireless router.  Again, I have all the SBS 2011 features working as well as the wireless APs.

The client is a law firm and they use a software package called Winscribe that allows them to use their iPhones as dictation devices, both in the office and out of the office.  And this is where I'm running into problems.  Because the Winscribe software can be used externally and internally, the software "points" to a specific port on the domain URL of the law firm.  And to further complicate matters, the external port is redirected to the default port 80 on Server 2 (see attached file).  As you can see from the image, in Netgear terms the external port 8081 on the outside interface is redirected to port 80 on server 2.  I setup (what I thought would work) but I'm having several issues:

For whatever reason, the software (see Winscribe_screen_on_server.docx) is accessible (on server 1) only but if I click any of the options on the screen IE returns a "Page not available" message.  Even more strange is the fact that I go to a workstation and type in the http://99.199.99.199/winscribe/setup" path IE also displays a "Page not available" message.

So hopefully some folks out there in the community have had a similar experience and can help me get this resolved.

Here's what I think are the relevant parts of my ASA 5505 configuration:

!
ASA Version 9.2(1)
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 switchport trunk allowed vlan 1,10
 switchport trunk native vlan 1
 switchport mode trunk
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 description LAN Interface
 nameif inside
 security-level 100
 ip address 192.168.1.15 255.255.255.0
!
interface Vlan2
 description WAN Interface
 nameif outside
 security-level 0
 ip address 99.199.99.199 255.255.255.252
!
interface Vlan10
 description Wireless APs
 nameif wireless
 security-level 50
 ip address 192.168.10.1 255.255.255.0
!
dns domain-lookup inside
dns domain-lookup wireless
dns server-group DefaultDNS
 name-server 192.168.1.5
 name-server 192.168.1.9
 domain-name harper.local
object network OBJ_INSIDE
 subnet 192.168.1.0 255.255.255.0
object network OBJ-192.168.1.5-SMTP
 host 192.168.1.5
object network OBJ-192.168.1.5-WWW
 host 192.168.1.5
object network OBJ-192.168.1.5-RDP
 host 192.168.1.5
object network OBJ-192.168.1.5-HTTPSSP
 host 192.168.1.5
object network OBJ_HLBSVR1
 host 192.168.1.5
object network OBJ-192.168.1.9-WINSCRIBE
 host 192.168.1.9
object network OBJ-192.168.1.5-HTTPS
 host 192.168.1.5
object network OBJ-WIRELESS
 subnet 192.168.10.0 255.255.255.0
object-group service INBOUND
 service-object tcp destination eq smtp
 service-object tcp destination eq www
 service-object tcp destination eq 3389
 service-object tcp destination eq 987
 service-object tcp destination eq https
object-group network SYSLOG_SERVERS
 network-object host 192.168.1.9
object-group service SYSLOG_SERVICES udp
 port-object eq 4010
object-group network RADIUS_SERVERS
 network-object host 192.168.1.5
object-group service RADIUS_SERVICES udp
 port-object eq radius
 port-object eq radius-acct
access-list SYSLOG extended permit udp any object-group SYSLOG_SERVERS object-group SYSLOG_SERVICES
access-list RADIUS extended permit udp any object-group RADIUS_SERVERS object-group RADIUS_SERVICES
access-list OUTSIDE_ACCESS_IN extended permit object-group INBOUND any object OBJ_HLBSVR1
access-list OUTSIDE_ACCESS_IN permit tcp any host 192.168.1.9 eq www
access-list OUTSIDE_ACCESS_IN extended deny ip any any log
!
object network OBJ_INSIDE
 nat (inside,outside) dynamic interface
object network OBJ-192.168.1.5-SMTP
 nat (inside,outside) static interface service tcp smtp smtp
object network OBJ-192.168.1.5-WWW
 nat (inside,outside) static interface service tcp www www
object network OBJ-192.168.1.5-RDP
 nat (inside,outside) static interface service tcp 3389 3389
object network OBJ-192.168.1.5-HTTPSSP
 nat (inside,outside) static interface service tcp 987 987
object network OBJ-192.168.1.5-HTTPS
 nat (inside,outside) static interface service tcp https https
object network OBJ-192.168.1.9-WINSCRIBE
 nat (inside,outside) static interface service tcp www 8081
object network OBJ-WIRELESS
 nat (wireless,outside) dynamic interface
access-group OUTSIDE_ACCESS_IN in interface outside
route outside 0.0.0.0 0.0.0.0 99.188.99.200 1
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside

dhcpd dns 8.8.8.8 8.8.8.4
dhcpd auto_config outside
!
dhcpd dns 192.168.1.5 8.8.8.8 interface inside
dhcpd domain harper.local interface inside
!
dhcpd address 192.168.10.2-192.168.10.100 wireless
dhcpd enable wireless
!
ntp authenticate
ntp server 192.168.1.5 source inside prefer

Labels:
Preview file
7878 KB
Preview file
105 KB
0 Helpful
2 Replies 2

Julio Carvajal
VIP Alumni
VIP Alumni

‎09-12-2014 11:40 AM

Hello,

 

The setup is kind of hard to understand.

 

The NAT rule in the NetGear box says that Port 8081 on the outside IP gets redirected to server 2 on port 80.

 

When the mobile clients are on the office do they connect to the private IP (.9) of Server 2 on port 80 directly?

 

 

From outside mobile clients should be really easy but just want to make sure what is actually down right now.

 

Regards,

 

Jcarvaja

Senior Network Security and Core Specialist
CCIE #42930, 2-CCNP, JNCIS-SEC

For inmediate assistance hire us at http://inetworks.cr/our-rates/

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Clint Lambert
Level 1
Level 1
In response to Julio Carvajal

‎09-12-2014 12:44 PM

The internal subnet is 192.168.1.x.

Server 1 (SBS 2011 Std) IP address is 192.168.1.5

Server 2 (Windows 2008 R2 Std) IP address is 192.168.1.9

Router (ASA 5505) IP address is 192.168.1.15

Outside IP I'm using for this post (no actual outside IP) is 99.199.99.199

You are correct in that the outside IP (port 8081) is redirected to port 80 of the 1.9 server (2008 R2).

Also, note that port 80 on the outside IP is redirected to the 1.5 SBS 2011 server.

So the issue is that all the iPhones/iPads that have the Winscribe software setup are referencing the external IP with port 8081 as follows (not actual outside IP):

http:://99.199.99.199:8081/winscribe/setup

The existing Netgear router redirects port 8081 from the outside IP to port 80 on the 1.9 server.  The rules I setup to duplicate this behavior are as follows:

object network OBJ-192.168.1.9-WINSCRIBE
 host 192.168.1.9
 nat (inside,outside) static interface service tcp www 8081 

object-group service INBOUND
 service-object tcp destination eq smtp 
 service-object tcp destination eq www 
 service-object tcp destination eq 3389 
 service-object tcp destination eq 987 
 service-object tcp destination eq https 
access-list OUTSIDE_ACCESS_IN extended permit object-group INBOUND any object OBJ_HLBSVR1 
access-list OUTSIDE_ACCESS_IN permit tcp any host 192.168.1.9 eq www
access-list OUTSIDE_ACCESS_IN extended deny ip any any log 
access-group OUTSIDE_ACCESS_IN in interface outside

 

 

When I did this and type in the http:://99.199.99.199:8081/winscribe/setup address in IE (on server 192.168.1.5), I did get the Winscribe page attached to my earlier entry.  However, if I go to a workstation and type http:://99.199.99.199:8081/winscribe/setup in IE, I get the "Page not available" message.

So I guess my confusion could probably be summarized as follows:

  1. why I could only get to that page when I was on the 1.5 server and not the workstations
  2. what needs to happen to allow that 99.199.99.199 outside IP to be allowed to internal clients.  I'm thinking the Netgear router was letting all the 99.199.99.199 traffic whereas the ASA 5505 isn't.  It's an odd setup (in my opinion) to have your mobile devices always use the outside IP within the building.  My understanding is that it was setup that way so the iPhones/iPads would work outside of the office.  So in essence, they're basically using the away-from-office setup for both internal and external software functionality.

Thanks!

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card