topic ASA - NAT to Dst - FQDN in Network Security

ASA - NAT to Dst - FQDN

Alex Sykes — Tue, 12 Mar 2019 01:08:16 GMT

Hi All,

Can someone tell me why you cannot set up a NAT rule on the ASAs with the destination address being a FQDN?

I want to allow some internal addresses to bypass our proxy to go to an external address and thought this would be the best way to do it, but the FQDN opetion isn't there.

Many thanks

Alex

ASA - NAT to Dst - FQDN

Jouni Forss — Fri, 01 Mar 2013 15:00:03 GMT

Hi,

Do you have some device in front of the ASA controlling which traffic goes through proxy or how is the NAT going to be used?

Dont seem you can use a "object network" with "fqdn" in NAT configurations as you say though I have never even tried before.

- Jouni

ASA - NAT to Dst - FQDN

Alex Sykes — Fri, 01 Mar 2013 16:37:44 GMT

Hi Jouni,

Many thanks for your quick reply.

We use a BlueCoat proxy device for all our web traffic and this is what I want to bypass which I can do if I put in an ACL and corresponding NAT rule allowing me to do so, but only for a host, a range of addresses of a network, but not FQDN.

I was curious as to why the FQDN option isn't there.

We have nothing in front of the ASA controlling which traffic goes through the proxy.

Thanks

Alex

ASA - NAT to Dst - FQDN

Jouni Forss — Fri, 01 Mar 2013 17:00:35 GMT

Hi,

Are we talking about a configuration where the ASA has a "wccp" configuration that determines which traffic is handled with the Bluecoat?

Wouldnt it then be possible to evade the host and its certain destination from proxy by configuring a "deny ip" statement in the "wccp" ACL used?

I might have misunderstood the situation and I dont deal with that much with proxy setup while we do have a few ASA + Irontport setups where ASA uses "wccp"

- Jouni

ASA - NAT to Dst - FQDN

Alex Sykes — Fri, 01 Mar 2013 17:09:12 GMT

Hi,

I don't believe we use wccp, however, I'm new to ASAs, so I'm not 100% sure.

I think we're getting beyond the realms of my original question of why you can't use a FQDN when NATting.

Thanks for your responses.

Alex

ASA - NAT to Dst - FQDN

jocamare — Fri, 01 Mar 2013 21:15:06 GMT

Even though you can configure FQDNs inside the objects you can't use them in a nat configuration, the ASA won't let you do it, he will even tell you that it's not supported.

You can try it and confirm it. Nothing will happen.

Can you confirm if this is

nstewart — Thu, 20 Jul 2017 13:37:15 GMT

Can you confirm if this is still the case for NAT to DST FQDN? or are there any versions of software that can do this?

or Did you find a workaround?

thanks in advance

Re: Can you confirm if this is

ripicado — Thu, 04 Oct 2018 23:59:33 GMT

ASA still does not support to NAT based on FQDN, the closest would be to configure the NAT rule and route the traffic with PBR, however, you need to keep the list of public IPs that the domain resolves to.

Re: Can you confirm if this feature is supported in Cisco Firepower Firewalls?

sandeeplugani — Tue, 18 Dec 2018 14:19:43 GMT

Hello,

Please confirm if the feature of NAT to dynamic IPs or NAT to FQDN is supported in Cisco Firepower Firewalls. If not, then please suggest workaround for the same.

Re: ASA - NAT to Dst - FQDN

gabarrio — Wed, 08 Feb 2023 11:15:59 GMT

It seems is now possible if you upgrade to 9.17+, as per

https://www.cisco.com/c/en/us/td/docs/security/asa/asa917/release/notes/asarn917.html#:~:text=Twice%20NAT%20support%20for%20fully%2Dqualified%20domain%20name%20(FQDN)%20objects%20as%20the%20translated%20(mapped)%20destination