05-30-2011 08:46 AM - edited 03-11-2019 01:40 PM
Hello Everyone
Recently, I deoplyed ASA 5520 as our company firewall, everyting was working fine except two main problem I still can not resolve them after I did a lot of research. I hoped someone could help me out or give some ideas.
1. DNS rewriting - The internal user can not access the DMZ or internal server by put in the domain or external ip address. such as https://domain.com will resolve our wan ip address 210.0.0.83 ( internal ip address is 192.168.1.21 ).
I used static (inside,Outside) tcp 210.0.0.83 https 192.168.1.21 https netmask 255.255.255.255 dns, but it will not work. We have our internal DNS server, but don't want to just add the domain as a record. Is there anyway to get the internal user to access Internal server and DMZ server through the public domain?
2. We also have an internal multiple subnet, another router was conneting to ASA firewall inside interface and using ip address 192.168.1.223, another subnet 10.1.15.16/28 is behind the this router, for the users in subnet 192.168.1.0/24, they connect firewall inside interface directly.
I added an static route and intra-interface permit
route inside 10.1.15.16 255.255.255.240 192.168.1.223 1
same-security-traffic permit intra-interface
I also added
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.1.15.16 255.255.255.240
access-list inside_nat0_outbound extended permit ip 10.1.15.16 255.255.255.240 192.168.1.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
The internal users on 192.168.1.0/24 can ping 10.1.15.18 but can not telnet to 10.1.15.18 22.
If I set 192.168.1.223 as one of the workstation on 192.168.1.0/24 default gateway, it can telnet to 10.1.15.18 22 without any problem.
Really getting stuck on these main problem, please someone help me out.
Thank you very much.
05-30-2011 11:01 AM
Hi Dennis,
For the second issue, try the following commands,
sysopt noproxyarp inside.
it shud work after this.
Thank,
Varun
05-30-2011 11:43 PM
Thanks Varun
I tried the command, unfortunately, it did not work for me.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide