Website internal/external



  • Situation: Website is reachable externally, but not internally. There's a few different directions I can go in. Not sure which is the best long term choice. Here's some high points...

    • An engineer at our company left abruptly for personal reasons.
    • The client then moved over to my weekly schedule.
    • About a year ago, the client merged with another company and there was a name change on the domain.
      • The old domain is olddomain.local still.
    • They have their company website hosted with GoDaddy. https://www.newdomain.com
    • GoDaddy is also acting as their registrar.
    • They wanted to incorporate SMS into their on-prem, legal software.
      • Internal legal system is on Windows Server. I configured IIS with a site binding and a 3rd party certificate.
    • Created a record with GoDaddy, pointing to one of 3 public IPs they have allocated, this one is just for the legal software, and points at their firewall. The record is sms.newdomain.com
    • Configured NAT and access list on Cisco ASA firewall, the sms.newdomain.com/virtualdirectory site is reachable.

    The issue I see here is I can't create an internal DNS zone, newdomain.com, because then internal requests wouldn't go out to the GoDaddy web server because of an authoritative answer internally. But I don't want them to keep having to use their current bookmark, for simplicity. The current bookmark is https://hostname/virtualdirectory.

    Any input is helpful here.



  • You probably cannot hairpin on the router.

    You can just make a local zone for sms.newdomain.com and then point to the IIS server. It sucks but when you cannot hairpin, it is what you have to do.



  • Can you use LoopBack NAT Translation for that address on the firewall?



  • I'm not sure what the problem is, tell me if I have it right:

    If your on-prem domain is olddomain.com, I don't understand why internal user requests to newdomain.com aren't handled by the GoDaddy DNS.



  • @bbigford said in Website internal/external:

    The issue I see here is I can't create an internal DNS zone, newdomain.com, because then internal requests wouldn't go out to the GoDaddy web server because of an authoritative answer internally. But I don't want them to keep having to use their current bookmark, for simplicity. The current bookmark is https://hostname/virtualdirectory.

    As JB said, you can create an internal zone, you just need to build all of the records needed to point users to your external GoDaddy site.



  • @bbigford said in Website internal/external:

    @jaredbusch said in Website internal/external:

    You probably cannot hairpin on the router.

    I know Cisco PIX firewalls couldn't do it, not sure they ever enabled it in ASA's?



  • @tim_g said in Website internal/external:

    I'm not sure what the problem is, tell me if I have it right:

    If your on-prem domain is olddomain.com, I don't understand why internal user requests to newdomain.com aren't handled by the GoDaddy DNS.

    Like Jared said, I think it's trying to hairpin, but being rejected. Without knowing first that they had a website hosted, I created an internal zone, newdomain.com, and created a host record sms. When doing an nslookup on sms.newdomain.com, it resolved to the internal IP. Not having that record, resulted in a non-authoratative answer of the public IP addresss. Which I figured shouldn't be a problem, but then I started thinking about the hairpin traffic.

    I thought maybe newdomain.com being a web server on GoDaddy could have caused some confusion when creating an internal zone with newdomain.com ... But newdomain.com externally resolves to a GoDaddy address, and sms.newdomain.com is internal. I thought maybe it could be causing the issue cause DNS hints would look at com, then newdomain (GoDaddy), but then sms would resolve to internal.

    If they had an internal site, we would just use www.newdomain.com (forked thread)... When trying to go to that site, I could see an issue if www.newdomain.com existed onsite as an internal portal, and a separate site external (for clients). But, that's outside the scope of this thread and would be a very weird setup anyway.

    I might have to do a hairpin. Haven't set that up on a ASA to date. That's one route I could go, but wasn't sure if there was going to be something more efficient.



  • To be honest, I said NAT loopback without knowing what hairpin was referring to from Jared... that’s why the redundancy of my post 😑



  • @dbeato said in Website internal/external:

    To be honest, I said NAT loopback without knowing what hairpin was referring to from Jared... that’s why the redundancy of my post 😑

    I figured you were talking about hairpin. Did you mean something different?



  • @bbigford said in Website internal/external:

    @dbeato said in Website internal/external:

    To be honest, I said NAT loopback without knowing what hairpin was referring to from Jared... that’s why the redundancy of my post 😑

    I figured you were talking about hairpin. Did you mean something different?

    No, I just realized it was redundant. I found this article for Cisco ASA hairpin

    https://www.godaddy.com/help/adding-ip-addresses-to-your-servers-cisco-asa-5505-firewall-loopback-8502



  • @bbigford said in Website internal/external:

    @tim_g said in Website internal/external:

    I'm not sure what the problem is, tell me if I have it right:

    If your on-prem domain is olddomain.com, I don't understand why internal user requests to newdomain.com aren't handled by the GoDaddy DNS.

    Like Jared said, I think it's trying to hairpin, but being rejected. Without knowing first that they had a website hosted, I created an internal zone, newdomain.com, and created a host record sms. When doing an nslookup on sms.newdomain.com, it resolved to the internal IP. Not having that record, resulted in a non-authoratative answer of the public IP addresss. Which I figured shouldn't be a problem, but then I started thinking about the hairpin traffic.

    I thought maybe newdomain.com being a web server on GoDaddy could have caused some confusion when creating an internal zone with newdomain.com ... But newdomain.com externally resolves to a GoDaddy address, and sms.newdomain.com is internal. I thought maybe it could be causing the issue cause DNS hints would look at com, then newdomain (GoDaddy), but then sms would resolve to internal.

    If they had an internal site, we would just use www.newdomain.com (forked thread)... When trying to go to that site, I could see an issue if www.newdomain.com existed onsite as an internal portal, and a separate site external (for clients). But, that's outside the scope of this thread and would be a very weird setup anyway.

    I might have to do a hairpin. Haven't set that up on a ASA to date. That's one route I could go, but wasn't sure if there was going to be something more efficient.

    Oh I've never heard of that "hairpin" term, and never experienced or ran into that issue before.

    So if I understand correctly, you have a server on your domain (olddomain.com), in which one NIC has an internal domain / LAN connected IP, and another NIC that has an external IP address in which GoDaddy DNS points to?

    If not, I'm just going to stay out of it now. I might be too sick and tired to think straight.



  • @tim_g said in Website internal/external:

    So if I understand correctly, you have a server on your domain (olddomain.com), in which one NIC has an internal domain / LAN connected IP, and another NIC that has an external IP address in which GoDaddy DNS points to?

    Not quite.
    The website is hosted on your network. Internally it has a local IP, the firewall does NATing to a real IP for outsiders.

    Now if you don't have an internal DNS server that hosts that domainname, like the OP - newdomain.com hosted/dns at Godaddy.com, when your internal clients to go www.newdoamin.com, your pc will get the IP on the outside of the firewall. So your PC sends the packets to that IP on the outside of your firewall, then the firewall realizes it's an IP that itself is responsible for, and if hairpinning is allowed, it forwards the packets back into the network to the webserver.



  • @dbeato said in Website internal/external:

    @bbigford said in Website internal/external:

    @dbeato said in Website internal/external:

    To be honest, I said NAT loopback without knowing what hairpin was referring to from Jared... that’s why the redundancy of my post 😑

    I figured you were talking about hairpin. Did you mean something different?

    No, I just realized it was redundant. I found this article for Cisco ASA hairpin

    https://www.godaddy.com/help/adding-ip-addresses-to-your-servers-cisco-asa-5505-firewall-loopback-8502

    We've got a 5506-X, but concept is still the same I know. What I don't understand is "Enter your new IP address". It already stated in the steps that 10.0.0.2 is the internal system address. In this case, the web server I'm thinking.



  • @tim_g said in Website internal/external:

    @bbigford said in Website internal/external:

    @tim_g said in Website internal/external:

    I'm not sure what the problem is, tell me if I have it right:

    If your on-prem domain is olddomain.com, I don't understand why internal user requests to newdomain.com aren't handled by the GoDaddy DNS.

    Like Jared said, I think it's trying to hairpin, but being rejected. Without knowing first that they had a website hosted, I created an internal zone, newdomain.com, and created a host record sms. When doing an nslookup on sms.newdomain.com, it resolved to the internal IP. Not having that record, resulted in a non-authoratative answer of the public IP addresss. Which I figured shouldn't be a problem, but then I started thinking about the hairpin traffic.

    I thought maybe newdomain.com being a web server on GoDaddy could have caused some confusion when creating an internal zone with newdomain.com ... But newdomain.com externally resolves to a GoDaddy address, and sms.newdomain.com is internal. I thought maybe it could be causing the issue cause DNS hints would look at com, then newdomain (GoDaddy), but then sms would resolve to internal.

    If they had an internal site, we would just use www.newdomain.com (forked thread)... When trying to go to that site, I could see an issue if www.newdomain.com existed onsite as an internal portal, and a separate site external (for clients). But, that's outside the scope of this thread and would be a very weird setup anyway.

    I might have to do a hairpin. Haven't set that up on a ASA to date. That's one route I could go, but wasn't sure if there was going to be something more efficient.

    Oh I've never heard of that "hairpin" term, and never experienced or ran into that issue before.

    So if I understand correctly, you have a server on your domain (olddomain.com), in which one NIC has an internal domain / LAN connected IP, and another NIC that has an external IP address in which GoDaddy DNS points to?

    If not, I'm just going to stay out of it now. I might be too sick and tired to think straight.

    Not 2 NICs, just an internal IP. Port address translation at the firewall.



  • @bbigford said in Website internal/external:

    @dbeato said in Website internal/external:

    @bbigford said in Website internal/external:

    @dbeato said in Website internal/external:

    To be honest, I said NAT loopback without knowing what hairpin was referring to from Jared... that’s why the redundancy of my post 😑

    I figured you were talking about hairpin. Did you mean something different?

    No, I just realized it was redundant. I found this article for Cisco ASA hairpin

    https://www.godaddy.com/help/adding-ip-addresses-to-your-servers-cisco-asa-5505-firewall-loopback-8502

    We've got a 5506-X, but concept is still the same I know. What I don't understand is "Enter your new IP address". It already stated in the steps that 10.0.0.2 is the internal system address. In this case, the web server I'm thinking.

    In looking at that - I'm lost, why would GoDaddy be giving you instructions about making hairpin work for your office network? From the looks of it, it appears that the article is talking about an ASA at GoDaddy.



  • @dashrender said in Website internal/external:

    @bbigford said in Website internal/external:

    @dbeato said in Website internal/external:

    @bbigford said in Website internal/external:

    @dbeato said in Website internal/external:

    To be honest, I said NAT loopback without knowing what hairpin was referring to from Jared... that’s why the redundancy of my post 😑

    I figured you were talking about hairpin. Did you mean something different?

    No, I just realized it was redundant. I found this article for Cisco ASA hairpin

    https://www.godaddy.com/help/adding-ip-addresses-to-your-servers-cisco-asa-5505-firewall-loopback-8502

    We've got a 5506-X, but concept is still the same I know. What I don't understand is "Enter your new IP address". It already stated in the steps that 10.0.0.2 is the internal system address. In this case, the web server I'm thinking.

    In looking at that - I'm lost, why would GoDaddy be giving you instructions about making hairpin work for your office network? From the looks of it, it appears that the article is talking about an ASA at GoDaddy.

    This link makes more sense and is a bit more all inclusive. Has the correct command for CLI and also shows ASDM way. Not sure if those same steps apply to 5506-x since the versions are vastly different.



  • @dashrender said in Website internal/external:

    @tim_g said in Website internal/external:

    So if I understand correctly, you have a server on your domain (olddomain.com), in which one NIC has an internal domain / LAN connected IP, and another NIC that has an external IP address in which GoDaddy DNS points to?

    Not quite.
    The website is hosted on your network. Internally it has a local IP, the firewall does NATing to a real IP for outsiders.

    Now if you don't have an internal DNS server that hosts that domainname, like the OP - newdomain.com hosted/dns at Godaddy.com, when your internal clients to go www.newdoamin.com, your pc will get the IP on the outside of the firewall. So your PC sends the packets to that IP on the outside of your firewall, then the firewall realizes it's an IP that itself is responsible for, and if hairpinning is allowed, it forwards the packets back into the network to the webserver.

    Oh I see, so he's basically just forwarding a port (port forwarding) to his internal server. (that's what it sounds like to me anyways)

    I don't see why that's causing issues. Is this a problem specifically with Cisco stuff... or something extra you need to pay for that everything else "just does"?

    I've only ever done that stuff at home for gaming or self-hosting things, not in a business/enterprise environment.
    If you need to host something externally, you don't typically do it from something on your production domain ^_^



  • Cisco has it's own technique on ASA for this - they call it DNS Doctoring.
    You would put something like this on your ASA:

    object network WEB_SRV_OUTSIDE
     nat (dmz,outside) static X.X.X.X dns
    

    where X.X.X.X is public (external) address and dns keyword is DNS doctoring part. More details is available at:

    https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html

    http://resources.intenseschool.com/dns-doctoring-on-the-cisco-asa/



  • @bbigford said in Website internal/external:

    @dashrender said in Website internal/external:

    @bbigford said in Website internal/external:

    @dbeato said in Website internal/external:

    @bbigford said in Website internal/external:

    @dbeato said in Website internal/external:

    To be honest, I said NAT loopback without knowing what hairpin was referring to from Jared... that’s why the redundancy of my post 😑

    I figured you were talking about hairpin. Did you mean something different?

    No, I just realized it was redundant. I found this article for Cisco ASA hairpin

    https://www.godaddy.com/help/adding-ip-addresses-to-your-servers-cisco-asa-5505-firewall-loopback-8502

    We've got a 5506-X, but concept is still the same I know. What I don't understand is "Enter your new IP address". It already stated in the steps that 10.0.0.2 is the internal system address. In this case, the web server I'm thinking.

    In looking at that - I'm lost, why would GoDaddy be giving you instructions about making hairpin work for your office network? From the looks of it, it appears that the article is talking about an ASA at GoDaddy.

    This link makes more sense and is a bit more all inclusive. Has the correct command for CLI and also shows ASDM way. Not sure if those same steps apply to 5506-x since the versions are vastly different.

    Interesting. I haven't seen that one before, and it will work, as long as we don't have DNS Sec.



  • @dashrender said in Website internal/external:

    @bbigford said in Website internal/external:

    @dashrender said in Website internal/external:

    @bbigford said in Website internal/external:

    @dbeato said in Website internal/external:

    @bbigford said in Website internal/external:

    @dbeato said in Website internal/external:

    To be honest, I said NAT loopback without knowing what hairpin was referring to from Jared... that’s why the redundancy of my post 😑

    I figured you were talking about hairpin. Did you mean something different?

    No, I just realized it was redundant. I found this article for Cisco ASA hairpin

    https://www.godaddy.com/help/adding-ip-addresses-to-your-servers-cisco-asa-5505-firewall-loopback-8502

    We've got a 5506-X, but concept is still the same I know. What I don't understand is "Enter your new IP address". It already stated in the steps that 10.0.0.2 is the internal system address. In this case, the web server I'm thinking.

    In looking at that - I'm lost, why would GoDaddy be giving you instructions about making hairpin work for your office network? From the looks of it, it appears that the article is talking about an ASA at GoDaddy.

    This link makes more sense and is a bit more all inclusive. Has the correct command for CLI and also shows ASDM way. Not sure if those same steps apply to 5506-x since the versions are vastly different.

    Interesting. I haven't seen that one before, and it will work, as long as we don't have DNS Sec.

    I haven't set up DNS Sec per any best practices, but is it basically configured (in most cases) to not allow this very thing?



  • @tim_g said in Website internal/external:

    I don't see why that's causing issues. Is this a problem specifically with Cisco stuff... or something extra you need to pay for that everything else "just does"?

    It is not restricted to Cisco. It is also not a new thing. It has always been an issue. But in today's world, almost no one hosts public sites on internal networks, so many people have no idea what this is.
    0_1517157045231_ff7dd64a-e2be-4698-85ab-ec0e79f182b2-image.png



  • @jaredbusch said in Website internal/external:

    @tim_g said in Website internal/external:

    I don't see why that's causing issues. Is this a problem specifically with Cisco stuff... or something extra you need to pay for that everything else "just does"?

    It is not restricted to Cisco. It is also not a new thing. It has always been an issue. But in today's world, almost no one hosts public sites on internal networks, so many people have no idea what this is.
    0_1517157045231_ff7dd64a-e2be-4698-85ab-ec0e79f182b2-image.png

    I still do and reason I confused it was because on Sonicwall is NAT loopback.



  • @dbeato said in Website internal/external:

    @jaredbusch said in Website internal/external:

    @tim_g said in Website internal/external:

    I don't see why that's causing issues. Is this a problem specifically with Cisco stuff... or something extra you need to pay for that everything else "just does"?

    It is not restricted to Cisco. It is also not a new thing. It has always been an issue. But in today's world, almost no one hosts public sites on internal networks, so many people have no idea what this is.
    0_1517157045231_ff7dd64a-e2be-4698-85ab-ec0e79f182b2-image.png

    I still do and reason I confused it was because on Sonicwall is NAT loopback.

    There are a lot of organizations that have legacy stuff like this still. So, yeah it is certainly not rare, but certainly no longer common as most things have been pushed out to cloud providers or VPS hosting and such.



  • @jaredbusch said in Website internal/external:

    @tim_g said in Website internal/external:

    I don't see why that's causing issues. Is this a problem specifically with Cisco stuff... or something extra you need to pay for that everything else "just does"?

    It is not restricted to Cisco. It is also not a new thing. It has always been an issue. But in today's world, almost no one hosts public sites on internal networks, so many people have no idea what this is.

    Yeah, we used this in the 1990s, I'm pretty sure, but back then so much was hosted in house. Now it's a very rare problem to have.



  • @jaredbusch said in Website internal/external:

    @tim_g said in Website internal/external:

    I don't see why that's causing issues. Is this a problem specifically with Cisco stuff... or something extra you need to pay for that everything else "just does"?

    It is not restricted to Cisco. It is also not a new thing. It has always been an issue. But in today's world, almost no one hosts public sites on internal networks, so many people have no idea what this is.
    0_1517157045231_ff7dd64a-e2be-4698-85ab-ec0e79f182b2-image.png

    Wow, that verbiage could not be more clear compared to Cisco.



  • @scottalanmiller said in Website internal/external:

    @jaredbusch said in Website internal/external:

    @tim_g said in Website internal/external:

    I don't see why that's causing issues. Is this a problem specifically with Cisco stuff... or something extra you need to pay for that everything else "just does"?

    It is not restricted to Cisco. It is also not a new thing. It has always been an issue. But in today's world, almost no one hosts public sites on internal networks, so many people have no idea what this is.

    Yeah, we used this in the 1990s, I'm pretty sure, but back then so much was hosted in house. Now it's a very rare problem to have.

    There's a good chance I'll be putting this out on a VPS when their server ages out. So hopefully won't be an issue for too long. I haven't done that on Vultr yet (I'll probably have to fork this). But do you have to use a V2V converter from somewhere like 5nine or is there something Vultr might offer when that bridge is met?



  • @bbigford said in Website internal/external:

    Wow, that verbiage could not be more clear compared to Cisco.

    That's because one makes their money from being clear and easy as they don't certify consultants; the other makes their money from being obtuse and getting money from a support and consulting ecosystem. It's not in Cisco's interest to make things easy or clear for their customers.



  • @bbigford said in Website internal/external:

    @scottalanmiller said in Website internal/external:

    @jaredbusch said in Website internal/external:

    @tim_g said in Website internal/external:

    I don't see why that's causing issues. Is this a problem specifically with Cisco stuff... or something extra you need to pay for that everything else "just does"?

    It is not restricted to Cisco. It is also not a new thing. It has always been an issue. But in today's world, almost no one hosts public sites on internal networks, so many people have no idea what this is.

    Yeah, we used this in the 1990s, I'm pretty sure, but back then so much was hosted in house. Now it's a very rare problem to have.

    There's a good chance I'll be putting this out on a VPS when their server ages out. So hopefully won't be an issue for too long. I haven't done that on Vultr yet (I'll probably have to fork this). But do you have to use a V2V converter from somewhere like 5nine or is there something Vultr might offer when that bridge is met?

    I'm not aware of any tools for that. Not sure how you would get that image to Vultr. Rarely do you want to do something like this, though. You don't want to be deploying legacy kruft in that way. You'll want to build new wherever you are moving to.



  • @scottalanmiller said in Website internal/external:

    @bbigford said in Website internal/external:

    @scottalanmiller said in Website internal/external:

    @jaredbusch said in Website internal/external:

    @tim_g said in Website internal/external:

    I don't see why that's causing issues. Is this a problem specifically with Cisco stuff... or something extra you need to pay for that everything else "just does"?

    It is not restricted to Cisco. It is also not a new thing. It has always been an issue. But in today's world, almost no one hosts public sites on internal networks, so many people have no idea what this is.

    Yeah, we used this in the 1990s, I'm pretty sure, but back then so much was hosted in house. Now it's a very rare problem to have.

    There's a good chance I'll be putting this out on a VPS when their server ages out. So hopefully won't be an issue for too long. I haven't done that on Vultr yet (I'll probably have to fork this). But do you have to use a V2V converter from somewhere like 5nine or is there something Vultr might offer when that bridge is met?

    I'm not aware of any tools for that. Not sure how you would get that image to Vultr. Rarely do you want to do something like this, though. You don't want to be deploying legacy kruft in that way. You'll want to build new wherever you are moving to.

    already made a new topic for this discussion.



  • Here's what I've gotten to...

    Same-security-traffic permit intra-interface has been run on the ASA.

    Nat (inside,inside) source dynamic Inside_Subnet interface destination static Inside_HTTP_Public Inside_HTTP-Server

    I got that from this site

    I can't tell if inside_Subnet is just an object (I think it is). But if that object is an object for the inside LAN... if that's the case, why an inside interface can't be specified.


Log in to reply