01-21-2013 07:35 AM - edited 03-11-2019 05:50 PM
hello,
I have a DNS name for the public ASA IP
and I want use ASDM on the LAN with public DNS name or IP.
With v8.2, I can use "alias", and it's Ok, but alias don't work on >8.4
I try with "static" and DNS Doctoring.
I can, but I loose access to the public IP from Internet
I try this:
static (inside,outside) interface access-list inside_nat_static dns
access-list inside_nat_static extended permit ip interface inside interface outside
Can you help me?
Thank's
01-21-2013 03:45 PM
That solution that you have earlier on v8.2 is not meant to work but somehow you make it work.
You won't be able to access the public IP interface from the LAN network, ie: you can't cross interface on ASA firewall.
Do you have an internal DNS server? if you do, then you can configure the LAN IP as the resolution.
If internet user is accessing your internal DNS server for the resolution, then you can configure the static NAT statement with the DNS keyword, and that would change the private IP to public IP for internet user.
01-21-2013 11:59 PM
thank's, but we don't have internal DNS server.
I have an URL on a public WEB server with redirect to ASDM public URL.
I want DNS doctoring, but without the NAT
thank's
01-22-2013 04:28 AM
Have you add the "dns" keyword on the dynamic NAT statement for your internal subnet accessing the internet?
01-22-2013 06:23 AM
yes, I use this:
static (inside,outside) interface access-list inside_nat_static dns
dns dostoring work fine, BUT I lose access to ASA public service.
01-22-2013 01:07 AM
"and I want use ASDM on the LAN with public DNS name or IP"
Why would you want to do it?
01-22-2013 06:24 AM
I want just use the public DNS name to access ASDM from LAN and Internet.
like I can do with "alias", but "alias" is OUT
Thank's
01-22-2013 07:03 PM
Unfortunately you won't be able to use the public DNS name for the ASA interface to access it from the LAN, as the DNS doctoring won't work for the interface IP itself, and you would probably break something else by configuring that static NAT statement.
ASA won't NAT its interface IP to another interface as it is 2 different interfaces and it meant to do routing on those interfaces.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide