https://community.cisco.com/t5/network-security/asa-dns-for-inside-clients-ssl-vpn-from-inside-to-ouside-ip/m-p/1983912#M439357 <HTML><HEAD></HEAD><BODY><P>No, unfortunately you can't NAT the ASA interface IP Addresses, and also you can't connect cross interfaces, so if you are on the Guest network, you can't connect to the Outside interface.</P><P></P><P>ASA also does not provide DNS functionality as it is not a DNS server.</P><P></P><P>For guest users, they can only connect to othe Guest-ASA IP, and you would need to add the certificate to the CA Root certificate store on the PC and you won't get the error after adding those.</P></BODY></HTML> Sat, 04 Aug 2012 16:42:01 GMT Jennifer Halim 2012-08-04T16:42:01Z https://community.cisco.com/t5/network-security/asa-dns-for-inside-clients-ssl-vpn-from-inside-to-ouside-ip/m-p/1983911#M439356 <P>Hi there,</P><P>Wo got an ASA5510 (8.2x) with an inside, guest and outside interface.</P><P>On the guest interface, we have DHCP function on the ASA.</P><P>On the outside, there is web-ssl vpn (dns hostname on a public isp-dns server) configured.</P><P></P><P>When an user on the guest net tries to get connected with the web-ssl dns-name, it resolves the public, outside interface-ip , the ASA dropps it.</P><P><SPAN>I know, with static NAT it can be resolved (</SPAN><A class="jive-link-external-small" href="http://m.techrepublic.com/blog/networking/cisco-asa-and-dns-pain-is-there-a-doctor-in-the-house/1140" rel="nofollow" target="_blank">http://m.techrepublic.com/blog/networking/cisco-asa-and-dns-pain-is-there-a-doctor-in-the-house/1140</A><SPAN>), but on</SPAN></P><P>this scenario, we are trying to build a connection from a guest inside IP to the public-ip form the outside ASA interface.</P><P>If the guest users try an web-ssl connection on the guest-ASA IP, it works with a certificate error ( because there is no internal DNS on the guest net to resolve the dns name to the guest-interface IP).</P><P></P><P>So how can this be achieved? Can the ASA provide DNS server function? Can a NAT static entry (outside ip to interface guest) solve it?</P><P>It's the only solution an inhouse DNS server in the guest-net?</P><P></P><P>Thanks,</P><P>Norbert</P> Mon, 11 Mar 2019 23:38:10 GMT https://community.cisco.com/t5/network-security/asa-dns-for-inside-clients-ssl-vpn-from-inside-to-ouside-ip/m-p/1983911#M439356 alig.norbert 2019-03-11T23:38:10Z https://community.cisco.com/t5/network-security/asa-dns-for-inside-clients-ssl-vpn-from-inside-to-ouside-ip/m-p/1983912#M439357 <HTML><HEAD></HEAD><BODY><P>No, unfortunately you can't NAT the ASA interface IP Addresses, and also you can't connect cross interfaces, so if you are on the Guest network, you can't connect to the Outside interface.</P><P></P><P>ASA also does not provide DNS functionality as it is not a DNS server.</P><P></P><P>For guest users, they can only connect to othe Guest-ASA IP, and you would need to add the certificate to the CA Root certificate store on the PC and you won't get the error after adding those.</P></BODY></HTML> Sat, 04 Aug 2012 16:42:01 GMT https://community.cisco.com/t5/network-security/asa-dns-for-inside-clients-ssl-vpn-from-inside-to-ouside-ip/m-p/1983912#M439357 Jennifer Halim 2012-08-04T16:42:01Z https://community.cisco.com/t5/network-security/asa-dns-for-inside-clients-ssl-vpn-from-inside-to-ouside-ip/m-p/1983913#M439358 <HTML><HEAD></HEAD><BODY><P>Had to put a DNS (IOS Router) in the guest NAT. </P><P></P><P>For Cisco.</P><P>Such a service (DNS Server) should be supported on the ASA......</P><P></P><P>Greets,</P><P>Norbert</P></BODY></HTML> Tue, 14 Aug 2012 12:00:36 GMT https://community.cisco.com/t5/network-security/asa-dns-for-inside-clients-ssl-vpn-from-inside-to-ouside-ip/m-p/1983913#M439358 alig.norbert 2012-08-14T12:00:36Z