melfarit
asked on
ASA 5505 dns redirect
Hi,
I cannot get my internal users to reach our web server using the external ip. Here's the config.
access-list outside_access_in extended permit tcp any host xx.xx.45.38 eq 81
access-list outside_access_in extended permit tcp any host xx.xx.45.38 eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) xx.xx.45.38 192.168.15.10 netmask 255.255.255.255
static (inside,outside) 192.168.10.15 xx.xx.45.38 netmask 255.255.255.255 dns
static (outside,inside) xx.xx.45.38 192.168.10.15 netmask 255.255.255.255 dns
any suggestions?
TIA!
I cannot get my internal users to reach our web server using the external ip. Here's the config.
access-list outside_access_in extended permit tcp any host xx.xx.45.38 eq 81
access-list outside_access_in extended permit tcp any host xx.xx.45.38 eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) xx.xx.45.38 192.168.15.10 netmask 255.255.255.255
static (inside,outside) 192.168.10.15 xx.xx.45.38 netmask 255.255.255.255 dns
static (outside,inside) xx.xx.45.38 192.168.10.15 netmask 255.255.255.255 dns
any suggestions?
TIA!
ASKER
Hi annoopkmr!
Thanks for your reply!
Now my config looks like this (including the access rules). I cant add the static ....... dns line, because I already have one? What are i missing?
access-list outside_access_in extended permit tcp any host xx.xx.45.38 eq 81
access-list outside_access_in extended permit tcp any host xx.xx.45.38 eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) xx.xx.45.38 192.168.15.10 netmask 255.255.255.255
access-group outside_access_in in interface outside
Thanks for your reply!
Now my config looks like this (including the access rules). I cant add the static ....... dns line, because I already have one? What are i missing?
access-list outside_access_in extended permit tcp any host xx.xx.45.38 eq 81
access-list outside_access_in extended permit tcp any host xx.xx.45.38 eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) xx.xx.45.38 192.168.15.10 netmask 255.255.255.255
access-group outside_access_in in interface outside
you must add that static command , then only we can achieve ur objective. just add the line it will not disturb the traffic for long time.
no static (inside,outside) xx.xx.45.38 192.168.15.10 netmask 255.255.255.255
static (inside,outside) xx.xx.45.38 192.168.10.15 netmask 255.255.255.255 dns
please clarify my below lines
i hope the below access-list is applied on the outside interface , and 192.168.10.15 is the internal web server
no static (inside,outside) xx.xx.45.38 192.168.15.10 netmask 255.255.255.255
static (inside,outside) xx.xx.45.38 192.168.10.15 netmask 255.255.255.255 dns
please clarify my below lines
i hope the below access-list is applied on the outside interface , and 192.168.10.15 is the internal web server
ASKER
Hi anoopkmr,
Now the line is added, but it is still not working :-( Here's my config. 192.168.15.10 is the internal web server.
Thanks for your help!
ASA Version 8.2(1)
!
hostname statusDKFW
enable password m2FPYFUPCgXtpfSY encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.15.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.45.37 255.255.255.224
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list outside_access_in extended permit tcp any host xx.xx.45.38 eq 81
access-list outside_access_in extended permit tcp any host xx.xx.45.38 eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) xx.xx.45.38 192.168.15.10 netmask 255.255.255.255 dns
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.45.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco rd DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http 192.168.15.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.15.100-192.168.15. 130 inside
dhcpd dns xx.xx.34.11 xx.xx.34.71 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
!
!
policy-map type inspect dns MY_DNS_INSPECT_MAP
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns MY_DNS_INSPECT_MAP
!
prompt hostname context
Cryptochecksum:4733aadad56 1e7f4650d6 063149f2a8 8
: end
no asdm history enable
Now the line is added, but it is still not working :-( Here's my config. 192.168.15.10 is the internal web server.
Thanks for your help!
ASA Version 8.2(1)
!
hostname statusDKFW
enable password m2FPYFUPCgXtpfSY encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.15.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.45.37 255.255.255.224
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list outside_access_in extended permit tcp any host xx.xx.45.38 eq 81
access-list outside_access_in extended permit tcp any host xx.xx.45.38 eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) xx.xx.45.38 192.168.15.10 netmask 255.255.255.255 dns
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.45.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http 192.168.15.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.15.100-192.168.15.
dhcpd dns xx.xx.34.11 xx.xx.34.71 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
!
!
policy-map type inspect dns MY_DNS_INSPECT_MAP
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns MY_DNS_INSPECT_MAP
!
prompt hostname context
Cryptochecksum:4733aadad56
: end
no asdm history enable
what is ur webserver ip ?
ASKER
Hi,
FW outside ip xx.xx.45.37
Webserver outside ip xx.xx.45.38
Webserver inside 192.168.15.10
Tia
FW outside ip xx.xx.45.37
Webserver outside ip xx.xx.45.38
Webserver inside 192.168.15.10
Tia
try after
clear xlate
clear conn all
clear xlate
clear conn all
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
try like this
no static (inside,outside) 192.168.10.15 xx.xx.45.38 netmask 255.255.255.255 dns
no static (outside,inside) xx.xx.45.38 192.168.10.15 netmask 255.255.255.255 dns
static (inside,outside) xx.xx.45.38 192.168.10.15 netmask 255.255.255.255 dns