topic Hi,I think you can create the in Network Security

inside ASA cannot use domain name !

rechard_hk — Tue, 12 Mar 2019 04:55:24 GMT

Dear all,

Currently i'm using ASA 5512X and i have DMZ for web server. and i was forwarding from outside to DMZ is working fine. but i have problem with my client access web ( www.abc.com ) it doesn't work but they using ip address ( 192.168.0.50 ) it's working, i think have some problem and not resolve domain name. how can i allow inside host to access web by domain name?

Best Regards,

Rechard

Hi,What is the DNS server you

Vibhor Amrodia — Tue, 14 Oct 2014 10:30:19 GMT

Hi,

What is the DNS server you are using on the Clients ?

If External DNS server . do you have DNS allowed on the ASA device ?

This you can find out using a packet tracer output:-

packet inout <ingress interface> udp <internal client ip> 3456 4.2.2.2 53 det

Thanks and Regards,

Vibhor Amrodia

Hi, The problem is most

Jouni Forss — Tue, 14 Oct 2014 10:38:06 GMT

Hi,

The problem is most likely that your LAN users are using a public DNS (or internal DNS that resolves the name using public DNS information) and this DNS query returns the public IP address.

Now if this is true then the next problem is the NAT portion of the ASA. You most likely only have a Static NAT configured for the DMZ server towards the "outside" interface. When the LAN host gets the public IP address as a reply from the public DNS server it then tries to connect to that IP address. Since the NAT is only performed towards the "outside" interface and not your LAN interface this means that the connections will fail.

Some solutions for this are the following

If you have the following format Static NAT configuration for the server

object network SERVER
host <internal ip>
nat (dmz,outside) static <public ip>

Then you will need to add the parameter "dns" after the section "<public ip>". This will make it so that when the ASA sees the DNS reply from the server which contains this public NAT IP address it will change the DNS reply to contain the "<internal ip>" and in this way the users can use the DNS name to connect even though they will actually connect using the internal IP address rather than the public IP address.

Another option is to simply configure a Static NAT from DMZ to LAN using the public IP address. With this you have to consider the existing environment and answer the question: Is any LAN host connecting to this server with its public IP address? If not then you can configure the Static NAT towards LAN. If yes, then you would either have to use another solution OR configure Static Identity NAT and Static NAT so that the server can be accessed with either of the IP addresses (local or public)

object network PUBLIC-NAT
host <internal ip>
nat (dmz,inside) static <public ip>

object network IDENTITY-NAT
host <internal ip>
nat (dmz,inside) static <internal ip>

If you have an internal DNS server then you can naturally configure the DNS name to point to the local IP address directly on your own server and avoid this problem.

Hope this made any sense and hope it helps 🙂

EDIT: Error in the second options NAT configuration. Corrected

- Jouni

Dear Vibhor and jouni, Thanks

rechard_hk — Thu, 16 Oct 2014 07:58:57 GMT

Dear Vibhor and jouni,

Thanks you for your email !

on my client using DNS from ISP. and let me try to add nat(DMZ,inside) .

if still the same problem i will let you know.

one more think i have some issue that, i have one ISP but have multi public ip address line 203.10.10.1- 203.10.10.5 and i have 3 webserver , how can i use and forwarding from outside to webserver by using 3 public ip address . let me detail that:

1- Webserver 01( DMZ01: 192.168.10.2 with public ip : 203.10.10.2)

2- Webserver 01( DMZ02: 192.168.10.3 with public ip : 203.10.10.3)

3- Webserver 01( DMZ03: 192.168.10.4 with public ip : 203.10.10.4)

Note: interface outside is 203.10.10.1 and inside is 192.168.10.1.

Best Regards,

Rechard

Hi, Notice that configuring

Jouni Forss — Thu, 16 Oct 2014 08:08:29 GMT

Hi,

Notice that configuring the same public Static NAT towards "inside" was just one of the suggestions. Adding the "dns" parameter to the end of the current "nat" command might already do the trick.

With regards to the question you have, are you saying that you simply want to configure Static NAT for 3 internal servers by giving each of them their own public IP address?

If so then theres nothing different there compared to any existing Static NAT you have configured. Just configure the "object network" for each of the servers and define the servers local IP address under the "object network" with the command "host" and then enter the proper "nat" command also.

The basic configuration format for Static NAT using Auto NAT / Network Object NAT is

object network WEBSERVER-01
host 192.168.10.2
nat (dmz,outside) static 203.10.10.2

Naturally your "object network" name might probably be different and you might have named your interfaces differently. But you should be able to convert the above configuration to your needs for all the 3 servers.

Hope this helps 🙂

- Jouni

Hi,I think you can create the

Vibhor Amrodia — Thu, 16 Oct 2014 08:10:08 GMT

Hi,

I think you can create the NAT statements as:-

object network 192.168.10.2
host <internal ip>
nat (dmz,inside) static 203.10.10.2

object network 192.168.10.3
host <internal ip>
nat (dmz,inside) static 203.10.10.3

object network 192.168.10.4
host <internal ip>
nat (dmz,inside) static 203.10.10.2

You can permit port or the complete IP based on your requirement.

access-list outside-inside permit ip any host 192.168.10.2
access-list outside-inside permit ip any host 192.168.10.3

access-list outside-inside permit ip any host 192.168.10.4

access-group outside-inside in interface outside

Dear Jouni and Vibhor, thanks

rechard_hk — Fri, 17 Oct 2014 02:21:14 GMT

Dear Jouni and Vibhor,

thanks for your advice.

Could you verify on command as below:

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 203.10.10.1 255.255.255.224

interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0

access-list outside-inside permit tcp any host 192.168.10.2 eq www
access-list outside-inside permit tcp any host 192.168.10.3 eq www
access-list outside-inside permit tcp any host 192.168.10.4 eq www

access-group outside-inside in interface outside

object network web01
host 192.168.10.2
nat (outside,inside) static 203.10.10.2

object network web02
host 192.168.10.3
nat (outside,inside) static 203.10.10.3

object network web03
host 192.168.10.4
nat (outside,inside) static 203.10.10.4

Hi,Reverse the Interface

Vibhor Amrodia — Fri, 17 Oct 2014 10:54:40 GMT

Hi,

Reverse the Interface Names:-

object network web01
host 192.168.10.2
nat (inside,outside) static 203.10.10.2

object network web02
host 192.168.10.3
nat (inside,outside) static 203.10.10.3

object network web03
host 192.168.10.4
nat (inside,outside) static 203.10.10.4

Rest is good.

Thanks and Regards,

Vibhor Amrodia

Dear Vibhor, thanks for you

rechard_hk — Fri, 17 Oct 2014 14:35:15 GMT

Dear Vibhor,

thanks for you command.

i will apply and test it.

One more, i still one problem that i post last time that from outside they can access my domain https://abc.com and my client inside they cannot access by domain ( https://abc.com) but i can access ip address . what is going on ?

now i'm using ASA 5515 with V9.1

best Regards,

Rechard

Hi,By Domain are you

Vibhor Amrodia — Sat, 18 Oct 2014 05:38:55 GMT

Hi,

By Domain are you referring to the Web Server using the Host names ?

If yes , were you able to add the NAT statement which i recommended earlier ?

Thanks and Regards,

Vibhor Amrodia