Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1012
Views
0
Helpful
3
Replies

how to access interface wan from network local lan asa 5525-x

Go to solution
phuong.nguyenvan
Level 1
Level 1

‎10-18-2018 10:27 PM - edited ‎02-21-2020 08:22 AM

hi Cisco

I have the following model: Local network (NET10, NET20) <=> Cisco 3850 (200) => ASA5525-x => WAN internet

VLAN 10 192.168.10.0/24

VLAN 20 192.168.20.0/24

VLAN 200 connection between Coresw and ASA 5525-x

Configured on 3850 core swicth

interface VLAN 10 IP: 192.168.10.1

interface VLAN 10 IP: 192.168.20.1

VLAN 200 IP Interface: 200.200.200.1

 VLAN 200 connects the Cisco 3850 and the 5525-x asa

Complete VLAN 10, 20 routing through VLAN 200

At coreswicth:

route 0 0 200.200.200.2

At Asa 5525-x create route 2 VLAN

route inside200 192.168.10.0 255.255.255.0 200.200.200.1

route  inside200 192.168.20.0 255.255.255.0 200.200.200.1

route wan 0.0.0.0 1.1.1.1

I have a 192.168.10.200 webserver have domain abc.com IP WAN: 1.1.1.1

 I have configured NAT webserver ok port 80 on wan IP interface: 1.1.1.1

Outside the internet did not. However, local LAN (VLAN 10, 20) is not accessible to the web.

My question is as follows:

  1. External access to domainabc.com (1.1.1.1) => ok NAT ok.
  2. Ask in local LAN how to access abc.com by WAN IP: 1.1.1.1 how to configure local LAN access? 20 => WAN => Inter => WAN => NAT (Local Server)

I want to access web server from local LAN using IP WAN. 

Now i using DNS local and create DNS record A => IP local 192.168.10.200.

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
phuong.nguyenvan
Level 1
Level 1
In response to gbekmezi-DD

‎11-04-2018 07:04 AM - edited ‎11-04-2018 07:06 AM

Hi  gbekmezi-DD

Thanks,

I have found the documentation that talks about this issue is mainly DNS packets.
Cisco offers the concept of DNS doctoring
Cisco DNS doctoring is a process that intercepts a DNS response packet as it comes back into the network, and changes the IP address in the response.

 https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html  

I will try to config the doctoring dns configuration

Thanks

View solution in original post

0 Helpful
3 Replies 3

Go to solution
phuong.nguyenvan
Level 1
Level 1

‎11-04-2018 05:35 AM

Is there anyone help me?
Thanks
0 Helpful

Go to solution
gbekmezi-DD
Level 5
Level 5

‎11-04-2018 06:40 AM

Split DNS (which is what it sounds like you are doing) is the way to do it.  You can’t access the outside interface of the ASA from the inside like you are describing. You could consider changing your design by implementing multi-context and probably do what you are wanting to do then. I don’t think it’s worth it though. 

0 Helpful

Go to solution
phuong.nguyenvan
Level 1
Level 1
In response to gbekmezi-DD

‎11-04-2018 07:04 AM - edited ‎11-04-2018 07:06 AM

Hi  gbekmezi-DD

Thanks,

I have found the documentation that talks about this issue is mainly DNS packets.
Cisco offers the concept of DNS doctoring
Cisco DNS doctoring is a process that intercepts a DNS response packet as it comes back into the network, and changes the IP address in the response.

 https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html  

I will try to config the doctoring dns configuration

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card