Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access

Hi, We have ASA 5505 and installed in the Production. Now we want to access the website by using Public IP from Server which is hosted in same server. Exp : The local IP of server is 1.1.1.1 and which is mapped with public IP 2.2.2.2 on ASA FW, now when I try to access same website like http:\\2.2.2.2\xyz then it doesn't open but when i use 1.1.1.1 then it works. I am using same Local Server 1.1.1.1 to open the website by its public IP. The website can be access from outside machine without any issue. Now tell me is it possible??? Thnaks

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Access

Here you go :

ADD " DNS " KEYWORD AT THE END OF STTAIC WHICH MAPS 2.2.2.2 TO 1.1.1.1

Exp : The local IP of server is 1.1.1.1 and which is mapped with public IP 2.2.2.2 on ASA FW :

NO STATIC (INSIDE,OUTSIDE) 2.2.2.2 1.1.1.1

STATIC (INSIDE,OUTSIDE) 2.2.2.2 1.1.1.1 DNS

CL XLATE

CL LOCAL

oN SerVEr :

ipconfig/flushdns

Try :

http://2.2.2.2--> should work.

Do rate helpful posts.

Regards,

Sushil

11 REPLIES

Re: Access

Hi,

It is possible

Suppose your inside network is 192.168.100.0

then see the configuration below

1. access-list OUTSIDE extended permit tcp any host 2.2.2.2 eq www

2. global (outside) 1 interface

3.nat (inside) 1 192.168.100.0 255.255.255.0

4.Static translation to allow hosts on the inside access to hosts on the dmz.

static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

5.The "dns" keyword is added to instruct the security appliance to modify DNS records related to this entry

static (dmz,outside) 2.2.2.2 1.1.1.1 netmask 255.255.255.255 dns

6.access-group OUTSIDE in interface outside

HTH..rate if helpful..

New Member

Re: Access

Hi,

Thanks for your reply!!

Well, DMZ not in the scenario as I have already mentioned that all settings have been done and we can access the website from outside by using http://2.2.2.2---mapped----internal Server IP is 1.1.1.1 but when I open the same website http:\\2.2.2.2 on the same server where its hosted (1.1.1.1) then it doesn't work as it works when i use http:\\1.1.1.1. I think it can be done by DNAT but I don't know how to configure. Please advice

New Member

Re: Access

Please help!!

Cisco Employee

Re: Access

Here you go :

ADD " DNS " KEYWORD AT THE END OF STTAIC WHICH MAPS 2.2.2.2 TO 1.1.1.1

Exp : The local IP of server is 1.1.1.1 and which is mapped with public IP 2.2.2.2 on ASA FW :

NO STATIC (INSIDE,OUTSIDE) 2.2.2.2 1.1.1.1

STATIC (INSIDE,OUTSIDE) 2.2.2.2 1.1.1.1 DNS

CL XLATE

CL LOCAL

oN SerVEr :

ipconfig/flushdns

Try :

http://2.2.2.2--> should work.

Do rate helpful posts.

Regards,

Sushil

New Member

Re: Access

Hi Sushil : Thanks for your reply.

Would it be affect of incoming web traffic from the outside world becoz its in the production. Thanks

Cisco Employee

Re: Access

When you would remove static,incoming traffic to web server would stop.

As soon as you add the static with dns keyword,access would come back up.So,it depends how fast you do the changes.I think you can simply copy and paste the commands in one go.There would be a momentarily disruption of traffic almost unnoticable.

Regards,

Sushil

New Member

Re: Access

Thanks!!

New Member

Re: Access

Hi Sushil,

Can you please explain the reason of using DNS? Why and when do we need to use DNS modification?

Cisco Employee

Re: Access

folks..the "keyword" dns modifies the return FQDN/DNS Reply packet,called DNS Doctrine however here the requester(Ray) mentions this in his issue

"now when I try to access same website like http:\\2.2.2.2\xyz then it doesn't open"

That means he is trying to open it with the IP address ..and it doesn work...how come DNS doctrine comes into picture when he is not sending DNS packet out ?

Ray are you running version higher than 7.2.2 ? if yes, then add these commands

static (inside,inside) 2.2.2.2 1.1.1.1

nat (inside) 1 0 0

global (inside) 1 interface

same-security-traffic permit intra-interface

New Member

Re: Access

i am sorry to say this, but without explaining the fact of WHY any recommended commands be used, is many a times missing. I don't know how Ray is going to interpret these commands, but to me why would you ask him for static (inside, inside) ... if its a typo, then again without explanation ray is not going to understand. and if its not typo then why must he use this command when he is trying to use 2.2.2.2 as his outside ip address? (i haven't gone higher than 7.0, so asking)

What would the last command do?

Cisco Employee

Re: Access

This is U-turning,

its not typo..static (inside,inside) 2.2.2.2 1.1.1.1.....suggest source and destination both on inside (in simpler terms)

148
Views
5
Helpful
11
Replies