Hi Jouni,

Many thanks for your quick reply.

We use a BlueCoat proxy device for all our web traffic and this is what I want to bypass which I can do if I put in an ACL and corresponding NAT rule allowing me to do so, but only for a host, a range of addresses of a network, but not FQDN.

I was curious as to why the FQDN option isn't there.

We have nothing in front of the ASA controlling which traffic goes through the proxy.

Thanks

Alex

Hi,

Are we talking about a configuration where the ASA has a "wccp" configuration that determines which traffic is handled with the Bluecoat?

Wouldnt it then be possible to evade the host and its certain destination from proxy by configuring a "deny ip" statement in the "wccp" ACL used?

I might have misunderstood the situation and I dont deal with that much with proxy setup while we do have a few ASA + Irontport setups where ASA uses "wccp"

- Jouni

Hi,

I don't believe we use wccp, however, I'm new to ASAs, so I'm not 100% sure.

I think we're getting beyond the realms of my original question of why you can't use a FQDN when NATting.

Thanks for your responses.

Alex

Even though you can configure FQDNs inside the objects you can't use them in a nat configuration, the ASA won't let you do it, he will even tell you that it's not supported.

You can try it and confirm it. Nothing will happen.

Can you confirm if this is still the case for NAT to DST FQDN? or are there any versions of software that can do this?

or Did you find a workaround?

thanks in advance

ASA still does not support to NAT based on FQDN, the closest would be to configure the NAT rule and route the traffic with PBR, however, you need to keep the list of public IPs that the domain resolves to.

Hello,

Please confirm if the feature of  NAT to dynamic IPs or NAT to FQDN is supported in Cisco Firepower Firewalls. If not, then please suggest workaround for the same.