07-06-2010 02:57 AM - edited 03-11-2019 11:07 AM
Hi Guy's
I have a problem with the solution for a Web-Portal on my ASA5520. I'd like to connect to a Web-Portal with the Public ip address. That sounds easy.
The Follow are the Situation:
1. The Web-Portal-Server is in the same Network as the Client.
2. The Connection have to open with the public DNS entry
3. the internal DNS Server have to be untouched.
example:
web.portal.com has the publich ip 1.1.1.1
the webserver has the internal ip 172.16.24.70
a exsist NAT-Rule ist installed like : static (INSIDE,OUTSIDE) tcp 1.1.1.1 https 172.16.24.70 https netmask 255.255.255.255 dns
Now I want from my Network 172.16.24.0/24 connect to my web-port with the DNS-Entry web.portal.com
What i have to do?
Thx for Replies
07-06-2010 03:22 AM
With the existing "dns" keyword configured on the static statement, as well as dns inspection enabled on the ASA global_policy, plus if the DNS request and reply actually pass through the ASA, then your internal host should be receiving the private ip address of the web server when performing DNS resolution.
The above statement is true if your internal host is using external DNS server for the resolution of your web server: web.portal.com, and the DNS resolution goes through the ASA.
Basically what will happen is internal host performs DNS resolution, DNS request goes outbound towards the external DNS server. External DNS server will reply with the public ip address, and once the DNS reply passes through the ASA, ASA will inspect the DNS reply and modified the reply from the web server public ip address to private ip address. Once the internal host receives the DNS reply, the web.portal.com entry resolves to the private ip address.
Pls let me know if you are not using the external DNS server to resolve the web.portal.com DNS, and the DNS request/reply does not go through the ASA.
07-06-2010 04:34 AM
should be possible, that the ASA have a DNS-IP address for the Checks ? It's sounds the only one reason that this service doesn't work.
I have installed this this dns Feature.
07-06-2010 04:36 AM
Do you have "inspect dns" configured?
Are you using external dns server to resolve the web server dns?
07-06-2010 04:42 AM
The Clients use a Internal DNS and the Firewall has not a DNS included yet.
The DNS Inspection is already included in the config.
07-06-2010 04:48 AM
As advised earlier, the solution only works if the client uses external dns server and if the dns resolution goes through the ASA.
In your case, since the user is using the internal dns, I assume that the internal dns resolves the web server to the public ip address?
If that is the case, then you would need to configure the following as you can not make use of dns inspection feature in ASA:
same-security-traffic permit intra-interface
static (INSIDE,INSIDE) tcp 1.1.1.1 https 172.16.24.70 https netmask 255.255.255.255
Further to that, if you have "nat (INSIDE) 1 0 0" command, you would need to add "global (INSIDE) 1 interface" as well
11-29-2012 12:18 PM
Yet another NAT issue I had recently and this was the exact fix. Thanks Jennifer!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide