Solved: Access

ray_stone · ‎10-03-2008

Hi, We have ASA 5505 and installed in the Production. Now we want to access the website by using Public IP from Server which is hosted in same server. Exp : The local IP of server is 1.1.1.1 and which is mapped with public IP 2.2.2.2 on ASA FW, now when I try to access same website like http:\\2.2.2.2\xyz then it doesn't open but when i use 1.1.1.1 then it works. I am using same Local Server 1.1.1.1 to open the website by its public IP. The website can be access from outside machine without any issue. Now tell me is it possible??? Thnaks

suschoud · ‎10-03-2008

Here you go :

ADD " DNS " KEYWORD AT THE END OF STTAIC WHICH MAPS 2.2.2.2 TO 1.1.1.1

Exp : The local IP of server is 1.1.1.1 and which is mapped with public IP 2.2.2.2 on ASA FW :

NO STATIC (INSIDE,OUTSIDE) 2.2.2.2 1.1.1.1

STATIC (INSIDE,OUTSIDE) 2.2.2.2 1.1.1.1 DNS

CL XLATE

CL LOCAL

oN SerVEr :

ipconfig/flushdns

Try :

http://2.2.2.2--> should work.

Do rate helpful posts.

Regards,

Sushil

View solution in original post

satish_zanjurne · ‎10-03-2008

Hi,

It is possible

Suppose your inside network is 192.168.100.0

then see the configuration below

1. access-list OUTSIDE extended permit tcp any host 2.2.2.2 eq www

2. global (outside) 1 interface

3.nat (inside) 1 192.168.100.0 255.255.255.0

4.Static translation to allow hosts on the inside access to hosts on the dmz.

static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

5.The "dns" keyword is added to instruct the security appliance to modify DNS records related to this entry

static (dmz,outside) 2.2.2.2 1.1.1.1 netmask 255.255.255.255 dns

6.access-group OUTSIDE in interface outside

HTH..rate if helpful..

ray_stone · ‎10-03-2008

Hi,

Thanks for your reply!!

Well, DMZ not in the scenario as I have already mentioned that all settings have been done and we can access the website from outside by using http://2.2.2.2---mapped----internal Server IP is 1.1.1.1 but when I open the same website http:\\2.2.2.2 on the same server where its hosted (1.1.1.1) then it doesn't work as it works when i use http:\\1.1.1.1. I think it can be done by DNAT but I don't know how to configure. Please advice

ray_stone · ‎10-03-2008

Please help!!

suschoud · ‎10-03-2008

Here you go :

ADD " DNS " KEYWORD AT THE END OF STTAIC WHICH MAPS 2.2.2.2 TO 1.1.1.1

Exp : The local IP of server is 1.1.1.1 and which is mapped with public IP 2.2.2.2 on ASA FW :

NO STATIC (INSIDE,OUTSIDE) 2.2.2.2 1.1.1.1

STATIC (INSIDE,OUTSIDE) 2.2.2.2 1.1.1.1 DNS

CL XLATE

CL LOCAL

oN SerVEr :

ipconfig/flushdns

Try :

http://2.2.2.2--> should work.

Do rate helpful posts.

Regards,

Sushil

ray_stone · ‎10-03-2008

Hi Sushil : Thanks for your reply.

Would it be affect of incoming web traffic from the outside world becoz its in the production. Thanks

suschoud · ‎10-03-2008

When you would remove static,incoming traffic to web server would stop.

As soon as you add the static with dns keyword,access would come back up.So,it depends how fast you do the changes.I think you can simply copy and paste the commands in one go.There would be a momentarily disruption of traffic almost unnoticable.

Regards,

Sushil

ray_stone · ‎10-03-2008

Thanks!!

mohsin.khan · ‎10-06-2008

Hi Sushil,

Can you please explain the reason of using DNS? Why and when do we need to use DNS modification?

abinjola · ‎10-06-2008

folks..the "keyword" dns modifies the return FQDN/DNS Reply packet,called DNS Doctrine however here the requester(Ray) mentions this in his issue

"now when I try to access same website like http:\\2.2.2.2\xyz then it doesn't open"

That means he is trying to open it with the IP address ..and it doesn work...how come DNS doctrine comes into picture when he is not sending DNS packet out ?

Ray are you running version higher than 7.2.2 ? if yes, then add these commands

static (inside,inside) 2.2.2.2 1.1.1.1

nat (inside) 1 0 0

global (inside) 1 interface

same-security-traffic permit intra-interface

mohsin.khan · ‎10-07-2008

i am sorry to say this, but without explaining the fact of WHY any recommended commands be used, is many a times missing. I don't know how Ray is going to interpret these commands, but to me why would you ask him for static (inside, inside) ... if its a typo, then again without explanation ray is not going to understand. and if its not typo then why must he use this command when he is trying to use 2.2.2.2 as his outside ip address? (i haven't gone higher than 7.0, so asking)

What would the last command do?

abinjola · ‎10-07-2008

This is U-turning,

its not typo..static (inside,inside) 2.2.2.2 1.1.1.1.....suggest source and destination both on inside (in simpler terms)