Questions

Cisco ASA 5505 Internal to External configuration?

Tags:
+
0 Votes
Locked

Cisco ASA 5505 Internal to External configuration?

dboberg
This is something that's been bothering me and I'm pretty new to routing so I've had a hard time figuring out a solution. I'm using a cisco 5505 that is setup pretty standard. I have an exchange server that is accessed by clients internally using only an internal IP (10.x.x.x) and externally using an IP assigned by my ISP. Internally, I cannot access the external IP at all (ping, tracert, etc..) I know I can setup this access if I need to but that's not really the problem. I've added a wireless router to this configuration and everything works well but when users connect to the wireless router they naturally cannot access my mail server using the external IP since they are part of my local network. How would I go about assigning IPs given out by the wireless router access to my mail servers external IP? This is an issue mainly because when cell phones that are configured to access externally at all times attempt to access the mail server from the internal network they can't.
I hope this makes sense.
  • +
    0 Votes
    NetMan1958

    http://www.techrepublic.com/blog/networking/cisco-asa-and-dns-pain-is-there-a-doctor-in-the-house/1140

    It discusses the issue and explains DNS doctoring to resolve it. You can also use "split brain" DNS where you have a dedicated DNS server for the LAN that resolves names to their internal IP addresses.

    +
    0 Votes
    IcebergTitanic

    It should simply be a matter of using DNS. On the outside world, the DNS servers of whatever ISP is being used would hand back the external address for your server. However, if they are on your network, then you would hand back the internal address from your local DNS server, rather than the external IP.

    The phones should be connecting to a name for their server, rather than being hard coded to an IP address.

    +
    0 Votes
    dboberg

    That link seems like it should fix my problem but I'm still having a hard time understanding this. My outside interface (72.82.246.xx) is also the address that's linked to the fqdn of my mail server that users connect to when outside of the office. What should the nat rule look like between my outside and inside interfaces so that I can communicate?

    +
    0 Votes
    NetMan1958

    To be sure I answer you correctly, can you post the current static and dynamic NAT statements from your ASA?

    +
    0 Votes
    IcebergTitanic

    You just need to stick the dns option on the end of your static command, I think. This option tells the ASA to watch for DNS requests that come back pointing at the external IP address. When it spots those, it should re-write the packet and replace that external address with the internally mapped one.

    So for example, if your static command looks like this:

    static (inside,outside) 172.20.1.10 192.168.100.10 netmask 255.255.255.255

    You would replace that with

    static (inside,outside) 172.20.1.10 192.168.100.10 netmask 255.255.255.255 dns

    That should fix it!

    See this link:
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

    +
    0 Votes
    dboberg

    It just doesn't look like I have a rule like that. I want to access specifically 72.82.246.98 (the address of my outside interface) The server I want to access has an internal address of 10.0.0.250. The address of my asa is 10.0.0.254. What should my static nat rule look like?
    NetMan1958 I understand that link pretty much but where does 192.168.100.10 fit in?
    Here is my static NAT table:
    static (inside,outside) tcp interface 3389 10.0.0.46 3389 netmask 255.255.255.255
    static (inside,outside) tcp interface 9538 10.0.0.100 9538 netmask 255.255.255.255
    static (inside,outside) tcp interface 9539 10.0.0.100 9539 netmask 255.255.255.255
    static (inside,outside) tcp interface 82 10.0.0.200 82 netmask 255.255.255.255
    static (inside,outside) tcp interface 2000 10.0.0.200 2000 netmask 255.255.255.255
    static (inside,outside) tcp interface www 10.0.0.253 www netmask 255.255.255.255
    static (inside,outside) tcp interface 35000 10.0.0.50 8082 netmask 255.255.255.255
    static (inside,outside) udp interface 16409 10.0.0.54 4982 netmask 255.255.255.255
    static (inside,outside) tcp interface smtp 10.0.0.250 smtp netmask 255.255.255.255 dns
    static (inside,outside) udp interface 1434 10.0.0.251 1434 netmask 255.255.255.255
    static (inside,outside) tcp interface https 10.0.0.250 https netmask 255.255.255.255 dns
    static (inside,outside) tcp interface 7890 10.0.0.253 7890 netmask 255.255.255.255
    static (phone,outside) 72.82.246.100 10.0.10.10 netmask 255.255.255.255
    static (inside,phone) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

    +
    0 Votes
    IcebergTitanic

    Well, what you have is several different PAT (port address translation) commands that are taking specific ports coming on the outside interface, and sending them to specific inside interfaces.

    What you will need to do is determine exactly what ports are inbound for your email serve. It actually looks like you have the line already:

    static (inside,outside) tcp interface https 10.0.0.250 https netmask 255.255.255.255 dns

    To test this, connect up to the wireless, and just try to ping that server by its full name. (Like mail.mycompany.com or whatever) and see if it gets resolved to the inside address or not.

    Beyond that, you might just need to set up some packet captures on the ASA and try to watch a phone attempt to talk to the exchange server.

    +
    1 Votes
    NetMan1958

    It looks like you are using PAT since you are using the IP of the outside interface on your ASA. I'm not sure if this will work correctly when using PAT (I've never tried it). Also, is the DNS server that your LAN devices use located on the LAN or on the Internet(For DNS doctoring to work, the DNS traffic must cross the outside interface of your ASA)?

    An alternate solution to DNS doctoring is to add an entry to the hosts file on your LAN devices and specify the LAN IP of your mail server.

    +
    0 Votes
    IcebergTitanic

    Do you know how to modify the hosts file on an iPhone? I didn't think you could do that?

    +
    0 Votes
    NetMan1958

    I've never tried to edit the hosts file on an iPhone but here is a link to a discussion about it. It might give you some ideas on how to proceed.

    http://stackoverflow.com/questions/2028544/does-hosts-file-exist-on-the-iphone-how-to-change-it

    +
    0 Votes
    dboberg

    Thanks for the insight everyone! I will look into this further tomorrow and post tomorrow. I'm sure I will have more questions but your posts are all leading me in the right direction of a solution. I thought the same thing Netman1958 since the IP address of the outside interface and the server IP are the same that is a different type of workaround? am I right? I've done a few things on the asa that I thought would be logical but the ASA flagged and I couldn't create certain rules on the outside interface IP.

    +
    0 Votes
    dboberg

    Icebergtitanic I have tried that and I can't communicate with that external address at all

  • +
    0 Votes
    NetMan1958

    http://www.techrepublic.com/blog/networking/cisco-asa-and-dns-pain-is-there-a-doctor-in-the-house/1140

    It discusses the issue and explains DNS doctoring to resolve it. You can also use "split brain" DNS where you have a dedicated DNS server for the LAN that resolves names to their internal IP addresses.

    +
    0 Votes
    IcebergTitanic

    It should simply be a matter of using DNS. On the outside world, the DNS servers of whatever ISP is being used would hand back the external address for your server. However, if they are on your network, then you would hand back the internal address from your local DNS server, rather than the external IP.

    The phones should be connecting to a name for their server, rather than being hard coded to an IP address.

    +
    0 Votes
    dboberg

    That link seems like it should fix my problem but I'm still having a hard time understanding this. My outside interface (72.82.246.xx) is also the address that's linked to the fqdn of my mail server that users connect to when outside of the office. What should the nat rule look like between my outside and inside interfaces so that I can communicate?

    +
    0 Votes
    NetMan1958

    To be sure I answer you correctly, can you post the current static and dynamic NAT statements from your ASA?

    +
    0 Votes
    IcebergTitanic

    You just need to stick the dns option on the end of your static command, I think. This option tells the ASA to watch for DNS requests that come back pointing at the external IP address. When it spots those, it should re-write the packet and replace that external address with the internally mapped one.

    So for example, if your static command looks like this:

    static (inside,outside) 172.20.1.10 192.168.100.10 netmask 255.255.255.255

    You would replace that with

    static (inside,outside) 172.20.1.10 192.168.100.10 netmask 255.255.255.255 dns

    That should fix it!

    See this link:
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

    +
    0 Votes
    dboberg

    It just doesn't look like I have a rule like that. I want to access specifically 72.82.246.98 (the address of my outside interface) The server I want to access has an internal address of 10.0.0.250. The address of my asa is 10.0.0.254. What should my static nat rule look like?
    NetMan1958 I understand that link pretty much but where does 192.168.100.10 fit in?
    Here is my static NAT table:
    static (inside,outside) tcp interface 3389 10.0.0.46 3389 netmask 255.255.255.255
    static (inside,outside) tcp interface 9538 10.0.0.100 9538 netmask 255.255.255.255
    static (inside,outside) tcp interface 9539 10.0.0.100 9539 netmask 255.255.255.255
    static (inside,outside) tcp interface 82 10.0.0.200 82 netmask 255.255.255.255
    static (inside,outside) tcp interface 2000 10.0.0.200 2000 netmask 255.255.255.255
    static (inside,outside) tcp interface www 10.0.0.253 www netmask 255.255.255.255
    static (inside,outside) tcp interface 35000 10.0.0.50 8082 netmask 255.255.255.255
    static (inside,outside) udp interface 16409 10.0.0.54 4982 netmask 255.255.255.255
    static (inside,outside) tcp interface smtp 10.0.0.250 smtp netmask 255.255.255.255 dns
    static (inside,outside) udp interface 1434 10.0.0.251 1434 netmask 255.255.255.255
    static (inside,outside) tcp interface https 10.0.0.250 https netmask 255.255.255.255 dns
    static (inside,outside) tcp interface 7890 10.0.0.253 7890 netmask 255.255.255.255
    static (phone,outside) 72.82.246.100 10.0.10.10 netmask 255.255.255.255
    static (inside,phone) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

    +
    0 Votes
    IcebergTitanic

    Well, what you have is several different PAT (port address translation) commands that are taking specific ports coming on the outside interface, and sending them to specific inside interfaces.

    What you will need to do is determine exactly what ports are inbound for your email serve. It actually looks like you have the line already:

    static (inside,outside) tcp interface https 10.0.0.250 https netmask 255.255.255.255 dns

    To test this, connect up to the wireless, and just try to ping that server by its full name. (Like mail.mycompany.com or whatever) and see if it gets resolved to the inside address or not.

    Beyond that, you might just need to set up some packet captures on the ASA and try to watch a phone attempt to talk to the exchange server.

    +
    1 Votes
    NetMan1958

    It looks like you are using PAT since you are using the IP of the outside interface on your ASA. I'm not sure if this will work correctly when using PAT (I've never tried it). Also, is the DNS server that your LAN devices use located on the LAN or on the Internet(For DNS doctoring to work, the DNS traffic must cross the outside interface of your ASA)?

    An alternate solution to DNS doctoring is to add an entry to the hosts file on your LAN devices and specify the LAN IP of your mail server.

    +
    0 Votes
    IcebergTitanic

    Do you know how to modify the hosts file on an iPhone? I didn't think you could do that?

    +
    0 Votes
    NetMan1958

    I've never tried to edit the hosts file on an iPhone but here is a link to a discussion about it. It might give you some ideas on how to proceed.

    http://stackoverflow.com/questions/2028544/does-hosts-file-exist-on-the-iphone-how-to-change-it

    +
    0 Votes
    dboberg

    Thanks for the insight everyone! I will look into this further tomorrow and post tomorrow. I'm sure I will have more questions but your posts are all leading me in the right direction of a solution. I thought the same thing Netman1958 since the IP address of the outside interface and the server IP are the same that is a different type of workaround? am I right? I've done a few things on the asa that I thought would be logical but the ASA flagged and I couldn't create certain rules on the outside interface IP.

    +
    0 Votes
    dboberg

    Icebergtitanic I have tried that and I can't communicate with that external address at all