Announcement

Collapse
No announcement yet.

Cisco ASA 5505 allow inside traffic out and back in via wan IP?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco ASA 5505 allow inside traffic out and back in via wan IP?

    So, I always remember ciscos having an issue with this, and I never bothered to look up how to resolve it. On a sonicwall, watchdog, hell even a inksys home router, if an internal dns query resolves to the external IP address of the router, the router still allows that traffic back in and to be natted to the correct device.

    An example; an internal web server with only one dns entry for the external ip that is port natted to the web server. If on my internal machine, attempt to go to awebsite.com and that website resolves to my external IP, most routers will allow that traffic back in as long as the correct NAT's are in place. But I have never been able to get this working on a cisco device.

    How do I get this going? My external IP is by dhcp (I use dyndns.org) and my internal subnet is 192.168.168.0/24. Thanks!

  • #2
    Re: Cisco ASA 5505 allow inside traffic out and back in via wan IP?

    I believe you are referring to dns rewrite (DNS Doctoring)


    If your internal servers resolve to a external dns server you can add the "dns" keyword to the end of your static nat statement. Keep in mind this only works with a static 1 to 1 nat rule. It does not work with static PAT. Here is a link describing the feature:


    http://www.cisco.com/en/US/products/...807968c8.shtml
    Last edited by auglan; 5th June 2012, 00:05.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: Cisco ASA 5505 allow inside traffic out and back in via wan IP?

      While that would solve the problem... since I only have one IP I cant do a static nat. Any other options?

      Comment


      • #4
        Re: Cisco ASA 5505 allow inside traffic out and back in via wan IP?

        You may want to see if the legacy "alias" command may work. In the document I posted they also gave a workaround using destination nat. Simple option would be to put an entry into the clients host file. If you only have a few machines in a workgroup its not a big deal. Another option is to run dns locally, either on a server or another router.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment

        Working...
        X