Just a quick question. I would like to implement the FQDN ACL feature. The ASA which I am using for this, has a private IP address configured on it's outside if.
Traffic initiated from the inside if's will be static 1:1 natted to a public IP range. Traffic initiated on the ASA itself (to query the configured DNS servers), will leave the outside if (according to the routing table) and carry it's private IP as a source IP. There's a router behind this private subnet, which provides the actual Internet access. This router doesn't do any NAT, it expects the traffic is already NATted to a specific public pool. I tried to NAT these DNS queries initiated from the ASA itself, but apparently this traffic doesn't hit any NAT rule I tried to configure.
Any idea's if this is just working as designed or is it in any way possible to get this DNS traffic, originating at the ASA itself, to be natted?
Re: ASA nat connections originating at the ASA itself
Interesting one! It looks like you need some kind of self NAT for the firewall. I would simply aim creating a NAT rule on the router upfront. Let's see any other ideas if there're some blind spots here.
Please note that the minimum cryptography settings in AnyConnect 4.9 have been increased. Please ensure that your head-end is properly configured for the more stringent cryptography settings (if applicable) or users will be unable to connect after updatin...
In this guide will we be taking a look at how to configure the web.config file using the URL Rewrite tool when deploying the TETRA update server. This guide is meant as a companion to the existing guides and to help fill in some in...
Note: This guide is provided as a best effort to better help users understand the potential impact running multiple clients with TETRA, SPERO, ETHOS, DFC and SHA256 Lookups enabled and their bandwidth usage. The sizes in these guides are s...
When I log into my application, I'm suddenly asked to create a new organization. Did something change or migrate? I already had an organization.
You may be starting from security.cisco.com and mistakenly clicking "SecureX sign-on...
I followed these instructions and setup all my accounts to use SecureX sign-on, including my AMP account (my Cisco Security Account - CSA). When I use SecureX, and I click on the AMP "launch" button, I have to login again. Why?