10-03-2008 03:47 AM - edited 03-11-2019 06:52 AM
Hi, We have ASA 5505 and installed in the Production. Now we want to access the website by using Public IP from Server which is hosted in same server. Exp : The local IP of server is 1.1.1.1 and which is mapped with public IP 2.2.2.2 on ASA FW, now when I try to access same website like http:\\2.2.2.2\xyz then it doesn't open but when i use 1.1.1.1 then it works. I am using same Local Server 1.1.1.1 to open the website by its public IP. The website can be access from outside machine without any issue. Now tell me is it possible??? Thnaks
Solved! Go to Solution.
10-03-2008 07:34 AM
Here you go :
ADD " DNS " KEYWORD AT THE END OF STTAIC WHICH MAPS 2.2.2.2 TO 1.1.1.1
Exp : The local IP of server is 1.1.1.1 and which is mapped with public IP 2.2.2.2 on ASA FW :
NO STATIC (INSIDE,OUTSIDE) 2.2.2.2 1.1.1.1
STATIC (INSIDE,OUTSIDE) 2.2.2.2 1.1.1.1 DNS
CL XLATE
CL LOCAL
oN SerVEr :
ipconfig/flushdns
Try :
http://2.2.2.2--> should work.
Do rate helpful posts.
Regards,
Sushil
10-03-2008 05:58 AM
Hi,
It is possible
Suppose your inside network is 192.168.100.0
then see the configuration below
1. access-list OUTSIDE extended permit tcp any host 2.2.2.2 eq www
2. global (outside) 1 interface
3.nat (inside) 1 192.168.100.0 255.255.255.0
4.Static translation to allow hosts on the inside access to hosts on the dmz.
static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
5.The "dns" keyword is added to instruct the security appliance to modify DNS records related to this entry
static (dmz,outside) 2.2.2.2 1.1.1.1 netmask 255.255.255.255 dns
6.access-group OUTSIDE in interface outside
HTH..rate if helpful..
10-03-2008 06:20 AM
Hi,
Thanks for your reply!!
Well, DMZ not in the scenario as I have already mentioned that all settings have been done and we can access the website from outside by using http://2.2.2.2---mapped----internal Server IP is 1.1.1.1 but when I open the same website http:\\2.2.2.2 on the same server where its hosted (1.1.1.1) then it doesn't work as it works when i use http:\\1.1.1.1. I think it can be done by DNAT but I don't know how to configure. Please advice
10-03-2008 07:33 AM
Please help!!
10-03-2008 07:34 AM
Here you go :
ADD " DNS " KEYWORD AT THE END OF STTAIC WHICH MAPS 2.2.2.2 TO 1.1.1.1
Exp : The local IP of server is 1.1.1.1 and which is mapped with public IP 2.2.2.2 on ASA FW :
NO STATIC (INSIDE,OUTSIDE) 2.2.2.2 1.1.1.1
STATIC (INSIDE,OUTSIDE) 2.2.2.2 1.1.1.1 DNS
CL XLATE
CL LOCAL
oN SerVEr :
ipconfig/flushdns
Try :
http://2.2.2.2--> should work.
Do rate helpful posts.
Regards,
Sushil
10-03-2008 08:47 AM
Hi Sushil : Thanks for your reply.
Would it be affect of incoming web traffic from the outside world becoz its in the production. Thanks
10-03-2008 09:27 AM
When you would remove static,incoming traffic to web server would stop.
As soon as you add the static with dns keyword,access would come back up.So,it depends how fast you do the changes.I think you can simply copy and paste the commands in one go.There would be a momentarily disruption of traffic almost unnoticable.
Regards,
Sushil
10-03-2008 11:46 AM
Thanks!!
10-06-2008 07:44 PM
Hi Sushil,
Can you please explain the reason of using DNS? Why and when do we need to use DNS modification?
10-06-2008 09:44 PM
folks..the "keyword" dns modifies the return FQDN/DNS Reply packet,called DNS Doctrine however here the requester(Ray) mentions this in his issue
"now when I try to access same website like http:\\2.2.2.2\xyz then it doesn't open"
That means he is trying to open it with the IP address ..and it doesn work...how come DNS doctrine comes into picture when he is not sending DNS packet out ?
Ray are you running version higher than 7.2.2 ? if yes, then add these commands
static (inside,inside) 2.2.2.2 1.1.1.1
nat (inside) 1 0 0
global (inside) 1 interface
same-security-traffic permit intra-interface
10-07-2008 07:34 PM
i am sorry to say this, but without explaining the fact of WHY any recommended commands be used, is many a times missing. I don't know how Ray is going to interpret these commands, but to me why would you ask him for static (inside, inside) ... if its a typo, then again without explanation ray is not going to understand. and if its not typo then why must he use this command when he is trying to use 2.2.2.2 as his outside ip address? (i haven't gone higher than 7.0, so asking)
What would the last command do?
10-07-2008 09:13 PM
This is U-turning,
its not typo..static (inside,inside) 2.2.2.2 1.1.1.1.....suggest source and destination both on inside (in simpler terms)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide