Website internal/external
-
@dashrender said in Website internal/external:
@bbigford said in Website internal/external:
@dbeato said in Website internal/external:
@bbigford said in Website internal/external:
@dbeato said in Website internal/external:
To be honest, I said NAT loopback without knowing what hairpin was referring to from Jared... that’s why the redundancy of my post -_-
I figured you were talking about hairpin. Did you mean something different?
No, I just realized it was redundant. I found this article for Cisco ASA hairpin
We've got a 5506-X, but concept is still the same I know. What I don't understand is "Enter your new IP address". It already stated in the steps that 10.0.0.2 is the internal system address. In this case, the web server I'm thinking.
In looking at that - I'm lost, why would GoDaddy be giving you instructions about making hairpin work for your office network? From the looks of it, it appears that the article is talking about an ASA at GoDaddy.
This link makes more sense and is a bit more all inclusive. Has the correct command for CLI and also shows ASDM way. Not sure if those same steps apply to 5506-x since the versions are vastly different.
-
@dashrender said in Website internal/external:
@tim_g said in Website internal/external:
So if I understand correctly, you have a server on your domain (olddomain.com), in which one NIC has an internal domain / LAN connected IP, and another NIC that has an external IP address in which GoDaddy DNS points to?
Not quite.
The website is hosted on your network. Internally it has a local IP, the firewall does NATing to a real IP for outsiders.Now if you don't have an internal DNS server that hosts that domainname, like the OP - newdomain.com hosted/dns at Godaddy.com, when your internal clients to go www.newdoamin.com, your pc will get the IP on the outside of the firewall. So your PC sends the packets to that IP on the outside of your firewall, then the firewall realizes it's an IP that itself is responsible for, and if hairpinning is allowed, it forwards the packets back into the network to the webserver.
Oh I see, so he's basically just forwarding a port (port forwarding) to his internal server. (that's what it sounds like to me anyways)
I don't see why that's causing issues. Is this a problem specifically with Cisco stuff... or something extra you need to pay for that everything else "just does"?
I've only ever done that stuff at home for gaming or self-hosting things, not in a business/enterprise environment.
If you need to host something externally, you don't typically do it from something on your production domain ^_^ -
Cisco has it's own technique on ASA for this - they call it DNS Doctoring.
You would put something like this on your ASA:object network WEB_SRV_OUTSIDE nat (dmz,outside) static X.X.X.X dns
where X.X.X.X is public (external) address and dns keyword is DNS doctoring part. More details is available at:
http://resources.intenseschool.com/dns-doctoring-on-the-cisco-asa/
-
@bbigford said in Website internal/external:
@dashrender said in Website internal/external:
@bbigford said in Website internal/external:
@dbeato said in Website internal/external:
@bbigford said in Website internal/external:
@dbeato said in Website internal/external:
To be honest, I said NAT loopback without knowing what hairpin was referring to from Jared... that’s why the redundancy of my post -_-
I figured you were talking about hairpin. Did you mean something different?
No, I just realized it was redundant. I found this article for Cisco ASA hairpin
We've got a 5506-X, but concept is still the same I know. What I don't understand is "Enter your new IP address". It already stated in the steps that 10.0.0.2 is the internal system address. In this case, the web server I'm thinking.
In looking at that - I'm lost, why would GoDaddy be giving you instructions about making hairpin work for your office network? From the looks of it, it appears that the article is talking about an ASA at GoDaddy.
This link makes more sense and is a bit more all inclusive. Has the correct command for CLI and also shows ASDM way. Not sure if those same steps apply to 5506-x since the versions are vastly different.
Interesting. I haven't seen that one before, and it will work, as long as we don't have DNS Sec.
-
@dashrender said in Website internal/external:
@bbigford said in Website internal/external:
@dashrender said in Website internal/external:
@bbigford said in Website internal/external:
@dbeato said in Website internal/external:
@bbigford said in Website internal/external:
@dbeato said in Website internal/external:
To be honest, I said NAT loopback without knowing what hairpin was referring to from Jared... that’s why the redundancy of my post -_-
I figured you were talking about hairpin. Did you mean something different?
No, I just realized it was redundant. I found this article for Cisco ASA hairpin
We've got a 5506-X, but concept is still the same I know. What I don't understand is "Enter your new IP address". It already stated in the steps that 10.0.0.2 is the internal system address. In this case, the web server I'm thinking.
In looking at that - I'm lost, why would GoDaddy be giving you instructions about making hairpin work for your office network? From the looks of it, it appears that the article is talking about an ASA at GoDaddy.
This link makes more sense and is a bit more all inclusive. Has the correct command for CLI and also shows ASDM way. Not sure if those same steps apply to 5506-x since the versions are vastly different.
Interesting. I haven't seen that one before, and it will work, as long as we don't have DNS Sec.
I haven't set up DNS Sec per any best practices, but is it basically configured (in most cases) to not allow this very thing?
-
@tim_g said in Website internal/external:
I don't see why that's causing issues. Is this a problem specifically with Cisco stuff... or something extra you need to pay for that everything else "just does"?
It is not restricted to Cisco. It is also not a new thing. It has always been an issue. But in today's world, almost no one hosts public sites on internal networks, so many people have no idea what this is.
-
@jaredbusch said in Website internal/external:
@tim_g said in Website internal/external:
I don't see why that's causing issues. Is this a problem specifically with Cisco stuff... or something extra you need to pay for that everything else "just does"?
It is not restricted to Cisco. It is also not a new thing. It has always been an issue. But in today's world, almost no one hosts public sites on internal networks, so many people have no idea what this is.
I still do and reason I confused it was because on Sonicwall is NAT loopback.
-
@dbeato said in Website internal/external:
@jaredbusch said in Website internal/external:
@tim_g said in Website internal/external:
I don't see why that's causing issues. Is this a problem specifically with Cisco stuff... or something extra you need to pay for that everything else "just does"?
It is not restricted to Cisco. It is also not a new thing. It has always been an issue. But in today's world, almost no one hosts public sites on internal networks, so many people have no idea what this is.
I still do and reason I confused it was because on Sonicwall is NAT loopback.
There are a lot of organizations that have legacy stuff like this still. So, yeah it is certainly not rare, but certainly no longer common as most things have been pushed out to cloud providers or VPS hosting and such.
-
@jaredbusch said in Website internal/external:
@tim_g said in Website internal/external:
I don't see why that's causing issues. Is this a problem specifically with Cisco stuff... or something extra you need to pay for that everything else "just does"?
It is not restricted to Cisco. It is also not a new thing. It has always been an issue. But in today's world, almost no one hosts public sites on internal networks, so many people have no idea what this is.
Yeah, we used this in the 1990s, I'm pretty sure, but back then so much was hosted in house. Now it's a very rare problem to have.
-
@jaredbusch said in Website internal/external:
@tim_g said in Website internal/external:
I don't see why that's causing issues. Is this a problem specifically with Cisco stuff... or something extra you need to pay for that everything else "just does"?
It is not restricted to Cisco. It is also not a new thing. It has always been an issue. But in today's world, almost no one hosts public sites on internal networks, so many people have no idea what this is.
Wow, that verbiage could not be more clear compared to Cisco.
-
@scottalanmiller said in Website internal/external:
@jaredbusch said in Website internal/external:
@tim_g said in Website internal/external:
I don't see why that's causing issues. Is this a problem specifically with Cisco stuff... or something extra you need to pay for that everything else "just does"?
It is not restricted to Cisco. It is also not a new thing. It has always been an issue. But in today's world, almost no one hosts public sites on internal networks, so many people have no idea what this is.
Yeah, we used this in the 1990s, I'm pretty sure, but back then so much was hosted in house. Now it's a very rare problem to have.
There's a good chance I'll be putting this out on a VPS when their server ages out. So hopefully won't be an issue for too long. I haven't done that on Vultr yet (I'll probably have to fork this). But do you have to use a V2V converter from somewhere like 5nine or is there something Vultr might offer when that bridge is met?
-
@bbigford said in Website internal/external:
Wow, that verbiage could not be more clear compared to Cisco.
That's because one makes their money from being clear and easy as they don't certify consultants; the other makes their money from being obtuse and getting money from a support and consulting ecosystem. It's not in Cisco's interest to make things easy or clear for their customers.
-
@bbigford said in Website internal/external:
@scottalanmiller said in Website internal/external:
@jaredbusch said in Website internal/external:
@tim_g said in Website internal/external:
I don't see why that's causing issues. Is this a problem specifically with Cisco stuff... or something extra you need to pay for that everything else "just does"?
It is not restricted to Cisco. It is also not a new thing. It has always been an issue. But in today's world, almost no one hosts public sites on internal networks, so many people have no idea what this is.
Yeah, we used this in the 1990s, I'm pretty sure, but back then so much was hosted in house. Now it's a very rare problem to have.
There's a good chance I'll be putting this out on a VPS when their server ages out. So hopefully won't be an issue for too long. I haven't done that on Vultr yet (I'll probably have to fork this). But do you have to use a V2V converter from somewhere like 5nine or is there something Vultr might offer when that bridge is met?
I'm not aware of any tools for that. Not sure how you would get that image to Vultr. Rarely do you want to do something like this, though. You don't want to be deploying legacy kruft in that way. You'll want to build new wherever you are moving to.
-
@scottalanmiller said in Website internal/external:
@bbigford said in Website internal/external:
@scottalanmiller said in Website internal/external:
@jaredbusch said in Website internal/external:
@tim_g said in Website internal/external:
I don't see why that's causing issues. Is this a problem specifically with Cisco stuff... or something extra you need to pay for that everything else "just does"?
It is not restricted to Cisco. It is also not a new thing. It has always been an issue. But in today's world, almost no one hosts public sites on internal networks, so many people have no idea what this is.
Yeah, we used this in the 1990s, I'm pretty sure, but back then so much was hosted in house. Now it's a very rare problem to have.
There's a good chance I'll be putting this out on a VPS when their server ages out. So hopefully won't be an issue for too long. I haven't done that on Vultr yet (I'll probably have to fork this). But do you have to use a V2V converter from somewhere like 5nine or is there something Vultr might offer when that bridge is met?
I'm not aware of any tools for that. Not sure how you would get that image to Vultr. Rarely do you want to do something like this, though. You don't want to be deploying legacy kruft in that way. You'll want to build new wherever you are moving to.
already made a new topic for this discussion.
-
Here's what I've gotten to...
Same-security-traffic permit intra-interface has been run on the ASA.
Nat (inside,inside) source dynamic Inside_Subnet interface destination static Inside_HTTP_Public Inside_HTTP-Server
I got that from this site
I can't tell if inside_Subnet is just an object (I think it is). But if that object is an object for the inside LAN... if that's the case, why an inside interface can't be specified.
-
@bbigford said in Website internal/external:
Here's what I've gotten to...
Same-security-traffic permit intra-interface has been run on the ASA.
Nat (inside,inside) source dynamic Inside_Subnet interface destination static Inside_HTTP_Public Inside_HTTP-Server
I got that from this site
I can't tell if inside_Subnet is just an object (I think it is). But if that object is an object for the inside LAN... if that's the case, why an inside interface can't be specified.
Here's what I got to so far, with an error below... Nat (inside,inside) source dynamic NETWORK_OBJ_192.168.0.0_24 interface destination static SL-SA-PublicIP4 obj-192.168.0.23_443 SL-SA_PublicIP4 is the app's public IP, obj-192.168.0.23_443 is the internal server's address and port that the app is bound to.
Error: WARNING: Pool (application public IP listed here) overlap with existing pool.
-
@bbigford said in Website internal/external:
@bbigford said in Website internal/external:
Here's what I've gotten to...
Same-security-traffic permit intra-interface has been run on the ASA.
Nat (inside,inside) source dynamic Inside_Subnet interface destination static Inside_HTTP_Public Inside_HTTP-Server
I got that from this site
I can't tell if inside_Subnet is just an object (I think it is). But if that object is an object for the inside LAN... if that's the case, why an inside interface can't be specified.
Here's what I got to so far, with an error below... Nat (inside,inside) source dynamic NETWORK_OBJ_192.168.0.0_24 interface destination static SL-SA-PublicIP4 obj-192.168.0.23_443 SL-SA_PublicIP4 is the app's public IP, obj-192.168.0.23_443 is the internal server's address and port that the app is bound to.
Error: WARNING: Pool (application public IP listed here) overlap with existing pool.
I think that error is being generated, because of another NAT rule for (inside,outside) regarding that object. Not sure though.
-
@jaredbusch said in Website internal/external:
@tim_g said in Website internal/external:
I don't see why that's causing issues. Is this a problem specifically with Cisco stuff... or something extra you need to pay for that everything else "just does"?
It is not restricted to Cisco. It is also not a new thing. It has always been an issue. But in today's world, almost no one hosts public sites on internal networks, so many people have no idea what this is.
Oh I see, that clears it up for me.
Yeah that's why I've not experienced it... nothing I ran in to was ever publicly hosted internally. If it was, was already working. I do remember seeing "NAT loopback" before, but never heard of Hairpin.
-
@scottalanmiller said in Website internal/external:
@jaredbusch said in Website internal/external:
@tim_g said in Website internal/external:
I don't see why that's causing issues. Is this a problem specifically with Cisco stuff... or something extra you need to pay for that everything else "just does"?
It is not restricted to Cisco. It is also not a new thing. It has always been an issue. But in today's world, almost no one hosts public sites on internal networks, so many people have no idea what this is.
Yeah, we used this in the 1990s, I'm pretty sure, but back then so much was hosted in house. Now it's a very rare problem to have.
Yeah that's a decade or more before I really got in to IT... before my time.
It must have always been a default (non-adjustable) feature of home routers when I've done my port forwarding. I never had to worry about that. In enterprise, I was just never in an environment that did it like that.