Access

Answered Question
Oct 3rd, 2008

Hi, We have ASA 5505 and installed in the Production. Now we want to access the website by using Public IP from Server which is hosted in same server. Exp : The local IP of server is 1.1.1.1 and which is mapped with public IP 2.2.2.2 on ASA FW, now when I try to access same website like http:\\2.2.2.2\xyz then it doesn't open but when i use 1.1.1.1 then it works. I am using same Local Server 1.1.1.1 to open the website by its public IP. The website can be access from outside machine without any issue. Now tell me is it possible??? Thnaks

I have this problem too.
0 votes
Correct Answer by suschoud about 8 years 2 months ago

Here you go :

ADD " DNS " KEYWORD AT THE END OF STTAIC WHICH MAPS 2.2.2.2 TO 1.1.1.1

Exp : The local IP of server is 1.1.1.1 and which is mapped with public IP 2.2.2.2 on ASA FW :

NO STATIC (INSIDE,OUTSIDE) 2.2.2.2 1.1.1.1

STATIC (INSIDE,OUTSIDE) 2.2.2.2 1.1.1.1 DNS

CL XLATE

CL LOCAL

oN SerVEr :

ipconfig/flushdns

Try :

http://2.2.2.2--> should work.

Do rate helpful posts.

Regards,

Sushil

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
satish_zanjurne Fri, 10/03/2008 - 05:58

Hi,

It is possible

Suppose your inside network is 192.168.100.0

then see the configuration below

1. access-list OUTSIDE extended permit tcp any host 2.2.2.2 eq www

2. global (outside) 1 interface

3.nat (inside) 1 192.168.100.0 255.255.255.0

4.Static translation to allow hosts on the inside access to hosts on the dmz.

static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

5.The "dns" keyword is added to instruct the security appliance to modify DNS records related to this entry

static (dmz,outside) 2.2.2.2 1.1.1.1 netmask 255.255.255.255 dns

6.access-group OUTSIDE in interface outside

HTH..rate if helpful..

ray_stone Fri, 10/03/2008 - 06:20

Hi,

Thanks for your reply!!

Well, DMZ not in the scenario as I have already mentioned that all settings have been done and we can access the website from outside by using http://2.2.2.2---mapped----internal Server IP is 1.1.1.1 but when I open the same website http:\\2.2.2.2 on the same server where its hosted (1.1.1.1) then it doesn't work as it works when i use http:\\1.1.1.1. I think it can be done by DNAT but I don't know how to configure. Please advice

Correct Answer
suschoud Fri, 10/03/2008 - 07:34

Here you go :

ADD " DNS " KEYWORD AT THE END OF STTAIC WHICH MAPS 2.2.2.2 TO 1.1.1.1

Exp : The local IP of server is 1.1.1.1 and which is mapped with public IP 2.2.2.2 on ASA FW :

NO STATIC (INSIDE,OUTSIDE) 2.2.2.2 1.1.1.1

STATIC (INSIDE,OUTSIDE) 2.2.2.2 1.1.1.1 DNS

CL XLATE

CL LOCAL

oN SerVEr :

ipconfig/flushdns

Try :

http://2.2.2.2--> should work.

Do rate helpful posts.

Regards,

Sushil

ray_stone Fri, 10/03/2008 - 08:47

Hi Sushil : Thanks for your reply.

Would it be affect of incoming web traffic from the outside world becoz its in the production. Thanks

suschoud Fri, 10/03/2008 - 09:27

When you would remove static,incoming traffic to web server would stop.

As soon as you add the static with dns keyword,access would come back up.So,it depends how fast you do the changes.I think you can simply copy and paste the commands in one go.There would be a momentarily disruption of traffic almost unnoticable.

Regards,

Sushil

abinjola Mon, 10/06/2008 - 21:44

folks..the "keyword" dns modifies the return FQDN/DNS Reply packet,called DNS Doctrine however here the requester(Ray) mentions this in his issue

"now when I try to access same website like http:\\2.2.2.2\xyz then it doesn't open"

That means he is trying to open it with the IP address ..and it doesn work...how come DNS doctrine comes into picture when he is not sending DNS packet out ?

Ray are you running version higher than 7.2.2 ? if yes, then add these commands

static (inside,inside) 2.2.2.2 1.1.1.1

nat (inside) 1 0 0

global (inside) 1 interface

same-security-traffic permit intra-interface

i am sorry to say this, but without explaining the fact of WHY any recommended commands be used, is many a times missing. I don't know how Ray is going to interpret these commands, but to me why would you ask him for static (inside, inside) ... if its a typo, then again without explanation ray is not going to understand. and if its not typo then why must he use this command when he is trying to use 2.2.2.2 as his outside ip address? (i haven't gone higher than 7.0, so asking)

What would the last command do?

abinjola Tue, 10/07/2008 - 21:13

This is U-turning,

its not typo..static (inside,inside) 2.2.2.2 1.1.1.1.....suggest source and destination both on inside (in simpler terms)

Actions

This Discussion