Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1142
Views
0
Helpful
2
Replies

AnyConnect translation outside address

Oleg Volkov
Spotlight
Spotlight

‎11-05-2019 10:02 AM

 Hello, I have ASA with next interfaces:

inside, security level 100

outside, security level 0

wifi, security level 50

dmz1 security level 20

Ad have in dmz1 server, for example 10.10.10.2 and my outside interface Ip for example 128.10.10.2/27

I have nat (outside,dmz) source static any any destination static extstvip intsrvip 

where extsrvip is 128.10.10.3 and intsrvip 10.10.10.2 

but I want to use single dns for all, mysrv.mycompany.com a:128.10.10.3 and when WiFi users gone to https://mysrv.mycompany.com they go to outside IP and I added next translation:  nat(wifi,dmz1) source static wifinet wifinet destination static extsrvip intsrvip

This rule translate external Ip to real dmz ip and work fine .

but I want also allow WiFi users connect to webwpn to this Asa by outside Ip.

i try to added same translation like:

nat (WiFi,WiFi ) source static wifinet wifinet destination static outsideip WiFiinterfaceip

and enable webvpn on WiFi interface but it do not work.

what I do wrong :-) thank you!

 

 

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog
Labels:
0 Helpful
2 Replies 2

Ashley Hare
Level 1
Level 1

‎11-05-2019 02:01 PM - edited ‎11-05-2019 02:18 PM

Hi there,

 

Whilst you can terminate VPNs on any interface, I believe that you need to use the interface which is closest to the client.

 

In this instance, if your WiFi users are coming in on your WiFi interface then you would have to terminate on that IP. They would not be able to connect to webvpn on the outside interface.


If you're trying to amend a DNS response to the client, try adding the keyword 'dns' to the end of your NAT statement to doctor the DNS response back to the client for your outside interface.


The following article might help:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html#anc6

0 Helpful

Oleg Volkov
Spotlight
Spotlight
In response to Ashley Hare

‎11-05-2019 02:16 PM

I understand this, but I use public DNS on WiFi segment and it resolve my vpn fqdn to outside IP , and I want to translate it to wifi interface but I have problem.

Other way - I can deploy dedicated DNS server for WiFi segment and use other A record for vpn fqdn but it not best way.

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card