09-12-2014 09:05 AM - edited 03-11-2019 09:45 PM
I am working with a client who has two Windows servers:
Naturally both servers have a fixed IP address. Additionally the internet provider they use assigned a fixed IP address (I'm using 99.199.99.199 in this post instead of the real internet IP). The ASA 5505 IP address is 192.168.1.15.
I am setting up a ASA 5505 with Security Plus license with unlimited users. I have all of the SBS functionality working (i.e. internal / external email, wireless device support, Remote Access, etc.)
They are currently using two Netgear (home) routers for their internal and external wireless access. I want to replace both Netgear routers with the ASA 5505 (in router mode) due to the fact that the ASA 5505 will isolate and insulate their business much more than any home wireless router. Again, I have all the SBS 2011 features working as well as the wireless APs.
The client is a law firm and they use a software package called Winscribe that allows them to use their iPhones as dictation devices, both in the office and out of the office. And this is where I'm running into problems. Because the Winscribe software can be used externally and internally, the software "points" to a specific port on the domain URL of the law firm. And to further complicate matters, the external port is redirected to the default port 80 on Server 2 (see attached file). As you can see from the image, in Netgear terms the external port 8081 on the outside interface is redirected to port 80 on server 2. I setup (what I thought would work) but I'm having several issues:
For whatever reason, the software (see Winscribe_screen_on_server.docx) is accessible (on server 1) only but if I click any of the options on the screen IE returns a "Page not available" message. Even more strange is the fact that I go to a workstation and type in the http://99.199.99.199/winscribe/setup" path IE also displays a "Page not available" message.
So hopefully some folks out there in the community have had a similar experience and can help me get this resolved.
Here's what I think are the relevant parts of my ASA 5505 configuration:
!
ASA Version 9.2(1)
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport trunk allowed vlan 1,10
switchport trunk native vlan 1
switchport mode trunk
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
description LAN Interface
nameif inside
security-level 100
ip address 192.168.1.15 255.255.255.0
!
interface Vlan2
description WAN Interface
nameif outside
security-level 0
ip address 99.199.99.199 255.255.255.252
!
interface Vlan10
description Wireless APs
nameif wireless
security-level 50
ip address 192.168.10.1 255.255.255.0
!
dns domain-lookup inside
dns domain-lookup wireless
dns server-group DefaultDNS
name-server 192.168.1.5
name-server 192.168.1.9
domain-name harper.local
object network OBJ_INSIDE
subnet 192.168.1.0 255.255.255.0
object network OBJ-192.168.1.5-SMTP
host 192.168.1.5
object network OBJ-192.168.1.5-WWW
host 192.168.1.5
object network OBJ-192.168.1.5-RDP
host 192.168.1.5
object network OBJ-192.168.1.5-HTTPSSP
host 192.168.1.5
object network OBJ_HLBSVR1
host 192.168.1.5
object network OBJ-192.168.1.9-WINSCRIBE
host 192.168.1.9
object network OBJ-192.168.1.5-HTTPS
host 192.168.1.5
object network OBJ-WIRELESS
subnet 192.168.10.0 255.255.255.0
object-group service INBOUND
service-object tcp destination eq smtp
service-object tcp destination eq www
service-object tcp destination eq 3389
service-object tcp destination eq 987
service-object tcp destination eq https
object-group network SYSLOG_SERVERS
network-object host 192.168.1.9
object-group service SYSLOG_SERVICES udp
port-object eq 4010
object-group network RADIUS_SERVERS
network-object host 192.168.1.5
object-group service RADIUS_SERVICES udp
port-object eq radius
port-object eq radius-acct
access-list SYSLOG extended permit udp any object-group SYSLOG_SERVERS object-group SYSLOG_SERVICES
access-list RADIUS extended permit udp any object-group RADIUS_SERVERS object-group RADIUS_SERVICES
access-list OUTSIDE_ACCESS_IN extended permit object-group INBOUND any object OBJ_HLBSVR1
access-list OUTSIDE_ACCESS_IN permit tcp any host 192.168.1.9 eq www
access-list OUTSIDE_ACCESS_IN extended deny ip any any log
!
object network OBJ_INSIDE
nat (inside,outside) dynamic interface
object network OBJ-192.168.1.5-SMTP
nat (inside,outside) static interface service tcp smtp smtp
object network OBJ-192.168.1.5-WWW
nat (inside,outside) static interface service tcp www www
object network OBJ-192.168.1.5-RDP
nat (inside,outside) static interface service tcp 3389 3389
object network OBJ-192.168.1.5-HTTPSSP
nat (inside,outside) static interface service tcp 987 987
object network OBJ-192.168.1.5-HTTPS
nat (inside,outside) static interface service tcp https https
object network OBJ-192.168.1.9-WINSCRIBE
nat (inside,outside) static interface service tcp www 8081
object network OBJ-WIRELESS
nat (wireless,outside) dynamic interface
access-group OUTSIDE_ACCESS_IN in interface outside
route outside 0.0.0.0 0.0.0.0 99.188.99.200 1
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
dhcpd dns 8.8.8.8 8.8.8.4
dhcpd auto_config outside
!
dhcpd dns 192.168.1.5 8.8.8.8 interface inside
dhcpd domain harper.local interface inside
!
dhcpd address 192.168.10.2-192.168.10.100 wireless
dhcpd enable wireless
!
ntp authenticate
ntp server 192.168.1.5 source inside prefer
09-12-2014 11:40 AM
Hello,
The setup is kind of hard to understand.
The NAT rule in the NetGear box says that Port 8081 on the outside IP gets redirected to server 2 on port 80.
When the mobile clients are on the office do they connect to the private IP (.9) of Server 2 on port 80 directly?
From outside mobile clients should be really easy but just want to make sure what is actually down right now.
Regards,
Jcarvaja
Senior Network Security and Core Specialist
CCIE #42930, 2-CCNP, JNCIS-SEC
For inmediate assistance hire us at http://inetworks.cr/our-rates/
09-12-2014 12:44 PM
The internal subnet is 192.168.1.x.
Server 1 (SBS 2011 Std) IP address is 192.168.1.5
Server 2 (Windows 2008 R2 Std) IP address is 192.168.1.9
Router (ASA 5505) IP address is 192.168.1.15
Outside IP I'm using for this post (no actual outside IP) is 99.199.99.199
You are correct in that the outside IP (port 8081) is redirected to port 80 of the 1.9 server (2008 R2).
Also, note that port 80 on the outside IP is redirected to the 1.5 SBS 2011 server.
So the issue is that all the iPhones/iPads that have the Winscribe software setup are referencing the external IP with port 8081 as follows (not actual outside IP):
http:://99.199.99.199:8081/winscribe/setup
The existing Netgear router redirects port 8081 from the outside IP to port 80 on the 1.9 server. The rules I setup to duplicate this behavior are as follows:
object network OBJ-192.168.1.9-WINSCRIBE
host 192.168.1.9
nat (inside,outside) static interface service tcp www 8081
object-group service INBOUND
service-object tcp destination eq smtp
service-object tcp destination eq www
service-object tcp destination eq 3389
service-object tcp destination eq 987
service-object tcp destination eq https
access-list OUTSIDE_ACCESS_IN extended permit object-group INBOUND any object OBJ_HLBSVR1
access-list OUTSIDE_ACCESS_IN permit tcp any host 192.168.1.9 eq www
access-list OUTSIDE_ACCESS_IN extended deny ip any any log
access-group OUTSIDE_ACCESS_IN in interface outside
When I did this and type in the http:://99.199.99.199:8081/winscribe/setup address in IE (on server 192.168.1.5), I did get the Winscribe page attached to my earlier entry. However, if I go to a workstation and type http:://99.199.99.199:8081/winscribe/setup in IE, I get the "Page not available" message.
So I guess my confusion could probably be summarized as follows:
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide