topic Re: FQDN object in Twice NAT on ASA in Network Security

FQDN object in Twice NAT on ASA

janvanek — Tue, 05 Dec 2023 14:57:15 GMT

Hello community!

According to the https://www.cisco.com/c/en/us/td/docs/security/asa/asa917/release/notes/asarn917.html#:~:text=Twice%20NAT%20support%20for%20fully%2Dqualified%20domain%20name%20(FQDN)%20objects%20as%20the%20translated%20(mapped)%20destination, the firewall is supposed to support FQDN objects in NAT.

Firewall Features
Twice NAT support for fully-qualified domain name (FQDN) objects as the translated (mapped) destination	You can use an FQDN network object, such as one specifying www.example.com, as the translated (mapped) destination address in twice NAT rules. The system configures the rule based on the IP address returned from the DNS server.

I tried someting like

nat (any,any) source static 10.0.0.0 10.0.0.0 destination static www.example.com example.com

ERROR: Object www.example.com contains FQDN object. These are not supported in NAT commands.

Does anyone know if this is still supported or how it works? I should note that I have 9.18.x version.

THX you all in addition!

Jan

Re: FQDN object in Twice NAT on ASA

janvanek — Tue, 05 Dec 2023 15:00:28 GMT

Sorry for fat finger the command was actually

nat (any,any) source static 10.0.0.0 10.0.0.0 destination static www.example.com www.example.com

Re: FQDN object in Twice NAT on ASA

MHM Cisco World — Tue, 05 Dec 2023 15:09:09 GMT

I will check fqdn in NAT but did you try add object-network using fqdn in NAT instead of directly using FQDN?

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/216553-understand-the-working-of-dns-on-asa-whe.html

MHM

Re: FQDN object in Twice NAT on ASA

janvanek — Tue, 05 Dec 2023 15:14:05 GMT

Sorry I forgot to explain. " www.example.com" is an object with the value " www.example.com" Otherwise the NAT command could not work.

Re: FQDN object in Twice NAT on ASA

MHM Cisco World — Tue, 05 Dec 2023 15:37:43 GMT

If that so check your ASA DNS config.

MHM

Re: FQDN object in Twice NAT on ASA

MHM Cisco World — Wed, 06 Dec 2023 10:27:31 GMT

Hi friend'

I make second review' you use object name which look like fqdn' that why command reject.

Change the name and put fqdn within object and try again.

Note:- check link I share' you need sure the DNS service for this task

MHM

Re: FQDN object in Twice NAT on ASA

janvanek — Wed, 06 Dec 2023 10:23:20 GMT

Hello, Thx for reply.

Tried this:

object network SOURCE_OBJECT
subnet 10.10.0.0 255.255.0.0
object network DESTINATION_FQDN
fqdn www.example.com

nat (any,any) source static SOURCE_OBJECT SOURCE_OBJECT destination static SOURCE_OBJECT DESTINATION_FQDN

-this works. That means I can only use FQDN object in "translated (mapped) destination".

Thank you again, I thing problem was solved.

Jan

Re: FQDN object in Twice NAT on ASA

MHM Cisco World — Wed, 06 Dec 2023 10:26:25 GMT

Friend you are so welcome

I am glad your issue is solved.

Have a nice day

MHM