Question

Locked

Cisco ASA 5505 Internal to External configuration?

By dboberg ·
This is something that's been bothering me and I'm pretty new to routing so I've had a hard time figuring out a solution. I'm using a cisco 5505 that is setup pretty standard. I have an exchange server that is accessed by clients internally using only an internal IP (10.x.x.x) and externally using an IP assigned by my ISP. Internally, I cannot access the external IP at all (ping, tracert, etc..) I know I can setup this access if I need to but that's not really the problem. I've added a wireless router to this configuration and everything works well but when users connect to the wireless router they naturally cannot access my mail server using the external IP since they are part of my local network. How would I go about assigning IPs given out by the wireless router access to my mail servers external IP? This is an issue mainly because when cell phones that are configured to access externally at all times attempt to access the mail server from the internal network they can't.
I hope this makes sense.

This conversation is currently closed to new comments.

13 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Answers

Collapse -

See this article

by NetMan1958 In reply to Cisco ASA 5505 Internal t ...

http://www.techrepublic.com/blog/networking/cisco-asa-and-dns-pain-is-there-a-doctor-in-the-house/1140

It discusses the issue and explains DNS doctoring to resolve it. You can also use "split brain" DNS where you have a dedicated DNS server for the LAN that resolves names to their internal IP addresses.

Collapse -

DNS should solve it.

by IcebergTitanic In reply to Cisco ASA 5505 Internal t ...

It should simply be a matter of using DNS. On the outside world, the DNS servers of whatever ISP is being used would hand back the external address for your server. However, if they are on your network, then you would hand back the internal address from your local DNS server, rather than the external IP.

The phones should be connecting to a name for their server, rather than being hard coded to an IP address.

Collapse -

Thanks for the link.

by dboberg In reply to Cisco ASA 5505 Internal t ...

That link seems like it should fix my problem but I'm still having a hard time understanding this. My outside interface (72.82.246.xx) is also the address that's linked to the fqdn of my mail server that users connect to when outside of the office. What should the nat rule look like between my outside and inside interfaces so that I can communicate?

Collapse -

RE: Static NAT

by NetMan1958 In reply to Cisco ASA 5505 Internal t ...

To be sure I answer you correctly, can you post the current static and dynamic NAT statements from your ASA?

Collapse -

It's an option at the end of your STATIC command

by IcebergTitanic In reply to Cisco ASA 5505 Internal t ...

You just need to stick the dns option on the end of your static command, I think. This option tells the ASA to watch for DNS requests that come back pointing at the external IP address. When it spots those, it should re-write the packet and replace that external address with the internally mapped one.

So for example, if your static command looks like this:

static (inside,outside) 172.20.1.10 192.168.100.10 netmask 255.255.255.255

You would replace that with

static (inside,outside) 172.20.1.10 192.168.100.10 netmask 255.255.255.255 dns

That should fix it!

See this link:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

Collapse -

re: Static NAT

by dboberg In reply to Cisco ASA 5505 Internal t ...

It just doesn't look like I have a rule like that. I want to access specifically 72.82.246.98 (the address of my outside interface) The server I want to access has an internal address of 10.0.0.250. The address of my asa is 10.0.0.254. What should my static nat rule look like?
NetMan1958 I understand that link pretty much but where does 192.168.100.10 fit in?
Here is my static NAT table:
static (inside,outside) tcp interface 3389 10.0.0.46 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 9538 10.0.0.100 9538 netmask 255.255.255.255
static (inside,outside) tcp interface 9539 10.0.0.100 9539 netmask 255.255.255.255
static (inside,outside) tcp interface 82 10.0.0.200 82 netmask 255.255.255.255
static (inside,outside) tcp interface 2000 10.0.0.200 2000 netmask 255.255.255.255
static (inside,outside) tcp interface www 10.0.0.253 www netmask 255.255.255.255
static (inside,outside) tcp interface 35000 10.0.0.50 8082 netmask 255.255.255.255
static (inside,outside) udp interface 16409 10.0.0.54 4982 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 10.0.0.250 smtp netmask 255.255.255.255 dns
static (inside,outside) udp interface 1434 10.0.0.251 1434 netmask 255.255.255.255
static (inside,outside) tcp interface https 10.0.0.250 https netmask 255.255.255.255 dns
static (inside,outside) tcp interface 7890 10.0.0.253 7890 netmask 255.255.255.255
static (phone,outside) 72.82.246.100 10.0.10.10 netmask 255.255.255.255
static (inside,phone) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

Collapse -

Reponse To Answer

by IcebergTitanic In reply to re: Static NAT

Well, what you have is several different PAT (port address translation) commands that are taking specific ports coming on the outside interface, and sending them to specific inside interfaces.

What you will need to do is determine exactly what ports are inbound for your email serve. It actually looks like you have the line already:

static (inside,outside) tcp interface https 10.0.0.250 https netmask 255.255.255.255 dns

To test this, connect up to the wireless, and just try to ping that server by its full name. (Like mail.mycompany.com or whatever) and see if it gets resolved to the inside address or not.

Beyond that, you might just need to set up some packet captures on the ASA and try to watch a phone attempt to talk to the exchange server.

Collapse -

DNS Server

by NetMan1958 In reply to Cisco ASA 5505 Internal t ...

It looks like you are using PAT since you are using the IP of the outside interface on your ASA. I'm not sure if this will work correctly when using PAT (I've never tried it). Also, is the DNS server that your LAN devices use located on the LAN or on the Internet(For DNS doctoring to work, the DNS traffic must cross the outside interface of your ASA)?

An alternate solution to DNS doctoring is to add an entry to the hosts file on your LAN devices and specify the LAN IP of your mail server.

Collapse -

Reponse To Answer

by IcebergTitanic In reply to DNS Server

Do you know how to modify the hosts file on an iPhone? I didn't think you could do that?

Collapse -

RE: hosts file on iPhone

by NetMan1958 In reply to Cisco ASA 5505 Internal t ...

I've never tried to edit the hosts file on an iPhone but here is a link to a discussion about it. It might give you some ideas on how to proceed.

http://stackoverflow.com/questions/2028544/does-hosts-file-exist-on-the-iphone-how-to-change-it

Back to Networks Forum
13 total posts (Page 1 of 2)   01 | 02   Next

Hardware Forums