Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
788
Views
1
Helpful
7
Replies

FQDN object in Twice NAT on ASA

janvanek
Level 1
Level 1

‎12-05-2023 06:57 AM

Hello community!

According to the https://www.cisco.com/c/en/us/td/docs/security/asa/asa917/release/notes/asarn917.html#:~:text=Twice%20NAT%20support%20for%20fully%2Dqualified%20domain%20name%20(FQDN)%20objects%20as%20the%20translated%20(mapped)%20destination, the firewall is supposed to support FQDN objects in NAT.

Firewall Features

Twice NAT support for fully-qualified domain name (FQDN) objects as the translated (mapped) destination

You can use an FQDN network object, such as one specifying www.example.com, as the translated (mapped) destination address in twice NAT rules. The system configures the rule based on the IP address returned from the DNS server.

 

I tried someting like

nat (any,any) source static 10.0.0.0 10.0.0.0 destination static www.example.com example.com

ERROR: Object www.example.com contains FQDN object. These are not supported in NAT commands.

Does anyone know if this is still supported or how it works? I should note that I have 9.18.x version.

THX you all in addition!

Jan

0 Helpful
7 Replies 7

janvanek
Level 1
Level 1

‎12-05-2023 07:00 AM

Sorry for fat finger  the command was actually

nat (any,any) source static 10.0.0.0 10.0.0.0 destination static www.example.com www.example.com

0 Helpful

MHM Cisco World
VIP
VIP
In response to janvanek

‎12-05-2023 07:09 AM

I will check fqdn in NAT but did you try add object-network using fqdn in NAT instead of directly using FQDN?

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/216553-understand-the-working-of-dns-on-asa-whe.html

MHM

0 Helpful

janvanek
Level 1
Level 1

‎12-05-2023 07:14 AM

Sorry I forgot to explain. " www.example.com" is an object with the value " www.example.com" Otherwise the NAT command could not work.

0 Helpful

MHM Cisco World
VIP
VIP
In response to janvanek

‎12-05-2023 07:37 AM

If that so check your ASA DNS config.

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to janvanek

‎12-05-2023 01:53 PM - edited ‎12-06-2023 02:27 AM

Hi friend' 

I make second review' you use object name which look like fqdn' that why command reject.

Change the name and put fqdn within object and try again.

Note:- check link I share' you need sure the DNS service for this task

MHM

0 Helpful

janvanek
Level 1
Level 1

‎12-06-2023 02:23 AM

Hello, Thx for reply.

Tried this:

object network SOURCE_OBJECT
subnet 10.10.0.0 255.255.0.0
object network DESTINATION_FQDN
fqdn www.example.com

nat (any,any) source static SOURCE_OBJECT SOURCE_OBJECT destination static SOURCE_OBJECT DESTINATION_FQDN 

-this works. That means I can only use FQDN object in "translated (mapped) destination".

Thank you again, I thing problem was solved.

BR

Jan

 

MHM Cisco World
VIP
VIP
In response to janvanek

‎12-06-2023 02:26 AM

Friend you are so welcome 

I am glad your issue is solved. 

Have  a nice day 

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card