Solved

ASA 5505 dns redirect

Posted on 2010-08-24
8
1,042 Views
Last Modified: 2012-06-21
Hi,

I cannot get my internal users to reach our web server using the external ip. Here's the config.


access-list outside_access_in extended permit tcp any host xx.xx.45.38 eq 81
access-list outside_access_in extended permit tcp any host xx.xx.45.38 eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) xx.xx.45.38 192.168.15.10 netmask 255.255.255.255
static (inside,outside) 192.168.10.15 xx.xx.45.38 netmask 255.255.255.255 dns
static (outside,inside) xx.xx.45.38 192.168.10.15 netmask 255.255.255.255 dns

any suggestions?

TIA!
0
Comment
Question by:melfarit
  • 4
  • 4
8 Comments
 
LVL 14

Expert Comment

by:anoopkmr
Comment Utility
i hope the below access-list is applied on the outside interface , and 192.168.10.15 is the internal web server

try like this

no static (inside,outside) 192.168.10.15 xx.xx.45.38 netmask 255.255.255.255 dns
no static (outside,inside) xx.xx.45.38 192.168.10.15 netmask 255.255.255.255 dns


static (inside,outside) xx.xx.45.38 192.168.10.15 netmask 255.255.255.255 dns

 

0
 

Author Comment

by:melfarit
Comment Utility
Hi annoopkmr!

Thanks for your reply!

Now my config looks like this (including the access rules). I cant add the static ....... dns line, because I already have one? What are i missing?

access-list outside_access_in extended permit tcp any host xx.xx.45.38 eq 81
access-list outside_access_in extended permit tcp any host xx.xx.45.38 eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) xx.xx.45.38 192.168.15.10 netmask 255.255.255.255
access-group outside_access_in in interface outside

0
 
LVL 14

Expert Comment

by:anoopkmr
Comment Utility
you must add that static command , then only we can achieve ur objective. just add  the line it will not disturb the traffic for long time.

no static (inside,outside) xx.xx.45.38 192.168.15.10 netmask 255.255.255.255
static (inside,outside) xx.xx.45.38 192.168.10.15 netmask 255.255.255.255 dns

please clarify my below lines
i hope the below access-list is applied on the outside interface , and 192.168.10.15 is the internal web server

0
 

Author Comment

by:melfarit
Comment Utility
Hi anoopkmr,

Now the line is added, but it is still not working :-( Here's my config. 192.168.15.10 is the internal web server.

Thanks for your help!

ASA Version 8.2(1)
!
hostname statusDKFW
enable password m2FPYFUPCgXtpfSY encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.15.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xx.xx.45.37 255.255.255.224
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list outside_access_in extended permit tcp any host xx.xx.45.38 eq 81
access-list outside_access_in extended permit tcp any host xx.xx.45.38 eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) xx.xx.45.38 192.168.15.10 netmask 255.255.255.255 dns
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.45.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http 192.168.15.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.15.100-192.168.15.130 inside
dhcpd dns xx.xx.34.11 xx.xx.34.71 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
!
!
policy-map type inspect dns MY_DNS_INSPECT_MAP
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns MY_DNS_INSPECT_MAP
!
prompt hostname context
Cryptochecksum:4733aadad561e7f4650d6063149f2a88
: end
no asdm history enable
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 14

Expert Comment

by:anoopkmr
Comment Utility
what is ur webserver ip ?
0
 

Author Comment

by:melfarit
Comment Utility
Hi,

FW outside ip xx.xx.45.37
Webserver outside ip xx.xx.45.38
Webserver inside 192.168.15.10

Tia

0
 
LVL 14

Expert Comment

by:anoopkmr
Comment Utility
try after

clear xlate

clear conn all
0
 

Accepted Solution

by:
melfarit earned 0 total points
Comment Utility
Hi,

It had not effekt at all. However I managed to get it to work.

I used this guide : http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml#solution2

Go to the section: Alternative Solution: Hairpinning

That worked for me

To annoopkmr : Thank for your try!

Greatings

Lasse
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now