DNS rewrite

Hi All,
I have internal servers on the same segment with internal machines.
When I use an ASA to provide Internet, I can use a DNS rewrite function for the servers, so that the inside network can reach the inside servers with the private address (using a public DNS).
So, for example I have an internal server 10.1.1.1
I have the static NAT:
static (inside,outside) 20.1.1.1 10.1.1.1 dns
So, when an inside computer tries to get to mycompany.com, sends a request to the public DNS which resolves the public IP address, but when the reply comes through the ASA, the ASA then translates the DNS reply to the 10.1.1.1 address (and I can reach the server fine).
My question is:
Instead of an ASA, I have a Router 2821 12.4(24)T
Is there a way to accomplish the DNS rewrite function on the router???
ARENAS-CENTRAL(config)#ip nat inside source static 10.1.1.1 20.1.1.1 ?
extendable Extend this translation when used
mapping-id Associate a mapping id to this mapping
no-alias    Do not create an alias for the global address
no-payload No translation of embedded address/port in the payload
redundancy NAT redundancy operation
route-map   Specify route-map
vrf         Specify vrf
<cr>
ARENAS-CENTRAL(config)#
Or, is there another way to accomplish this task?
Thank you!!
Federico.

Hi Federico,
   DNS doctoring which is the feature you are looking for is not supported on Cisco routers. As a consequence of your setup the local PC will try to access the server through its NAT address, which is also not possible on a Cisco router. This is because when NAT is configured we need to send the traffic from inside to outside to translate, and then to undo this translation it's a requirement that the traffic flows from outside to inside. All these requirements are based on the NAT RFC 1631, that's why on a Cisco Router configured with static NAT you are not able to see a local Web Server through it's natted address.
There are a few workarounds you can try on this kind of setup:
WORKAROUND 1:
Instead of using the public IP address, try to access the server through the private IP address. It's the most simple way to solve this issue.
WORKAROUND 2:
Configure one of your computers as a local DNS server and add a record stating that the only way to access the server is with the private IP address. Here is a useful link that explains how to configure a computer as a private DNS server:
http://www.microsoft.com/technet/archive/windows2000serv/evaluate/featfunc/dnsover.mspx
This is the best choice to do this configuration.
WORKAROUND 3
Configure the router as a DNS server. The local network should point its DNS queries to the router and configure a local entry for that server. In this way, when the LAN tries to access the public domain of a local address, the router will provide them with the private IP instead of the public IP. Here are the lines needed to configure the router as a DNS server (you need at least version 12.2(4)T)
config t
ip dns server
ip domain lookup
name-server X.X.X.X      <<<<< PUBLIC DNS TO FORWARD QUERIES
ip host www.domain.com    <<<<< PRIVATE ADDRESS OF SERVER
WORAROUND 4
There's something else you can do on each PC. You just have to edit a file that contains ALIAS for certain domain names pointing to an IP address. Of course, this only works when trying to access a server through the Domain Name, not with the IP address. The file is called "hosts". The Windows OS, before asking a DNS for a domain name checks this file to see if there is a shortcut to know the IP address belonging to the domain. On Windows 2000 and NT, it is placed in the following path (I think that also on XP you will find it as well):
C:\WINNT\system32\drivers\etc
You just need to edit it with NOTEPAD. Here is what you will find when you open the file:
# Copyright (c) 1993-1999 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# For example:
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host
127.0.0.1       localhost
   This is why if you do a PING LOCALHOST on an MS-DOS window, you are pinging 127.0.0.1. You just need to add your domain name and point it to the private address of the server.
WORKAROUND 5:
Configure what is called NAT on a Stick in your router. This kind of special configuration "tricks" both the server and the LAN to believe they are talking with a completely different network, avoiding the issue related to the NAT. The problem with this configuration is that it is a quite heavy on the router and not always works so I would discourage its use because the router will get involved in all internal conversations with the whole network, therefore resulting in too much work for the router. Another thing you need to take in mind regarding this workaround is that this specific setup is not supported by Cisco.
Regards,
Rick.

Similar Messages

Lan2Lan-VPN & DNS-ReWrite

We have the following problem:
OutsideA/LanA --- vpn ---- LanB/OutsideB
In LanA and LanB we have DNS servers. When a DNS-Query on LanB is to be rewritten through the LanA side, and vice versa the DNS ReWrite doesn't work because of the NoNat setting for the VPN tunnel.
How do we get around this?
Cheers / Peter Stromblad

Are there any answers to this? I am interested in a possible solution.

CISCO ASA 5505 Split Tunnel DNS with Site to Site VPN

I have a working configuration for Site to Site VPN between our head office and a private AWS VPC instance.
The tunnel is active and I can ping the IP address of the remote network and connect to the remote machines using the IP address, but we need to use the FQDN and not the IP. We have a DNS server set up in AWS for any DNS queries for the remote domain name.
My question is whether or not the ASA 5505 supports a DNS split tunnel for Site to Site VPN and how it can be configured.
I can not find where I can interogate the DNS query to be redirected to the VPN tunnel when our domain name is used in a DNS query. Thus, any pings I try with the FQDN of our servers in AWS are failing as they are going to the default DNS, which is the internet.
Can any one point me in the right direction on how to configure this DNS rewrite so that we can access our AWS private cloud using FQDN from our AWS domain rather than an IP address?

Jose, your fix to problem 1 allows all access from the outside, assuming you applied the extended list to the outside interface. Try to be more restrictive than an '...ip any any' rule for outside_in connections. For instance, this is what I have for incoming VOIP (access list and nat rules):
access list rule:
access-list outside_access_in extended permit udp any object server range 9000 9049 log errors
nat rule:
nat (inside,outside) source static server interface service voip-range voip-range
- 'server' is a network object *
- 'voip-range' is a service group range
I'd assume you can do something similar here in combination with my earlier comment:
access-list incoming extended permit tcp any any eq 5900
Can you explain your forwarding methodology a little more? I'm by no means an expert on forwarding, but the way I read what you're trying to do is that you have an inbound VNC request coming in on 5900 and you want the firewall to figure out which host the request should go to. Or is it vice-versa, the inbound VNC request can be on port 6001-6004 ?

N73 Alternate DNS entries

Hi
I've heard that by updating the primary and alternate DNS entries for mobile browsing, the speed of pages loading can be increased. The article is here (www.pcpro.co.uk/links/155mob1) but only includes instructions on how to do this for Pocket PC/Windows Mobile devices.
I'd like to try this on my N73, but the problem seems to be that the Contract Internet settings are protected and can't be updated or even copied.
Is there a way to find these settings and set up a new access point then enter the new DNS addresses?
I've looked on the net for these without success.
Thanks for any help.

Hi Shawn,
I am looking for another feature:
As the ISA akts as an DNS forwarder, I want to add specific DNS records to the Box. This scenario is especially for small networks not having a DNS server implemented, to resolve internal services - or this can be used for a special DNS rewriting.
How can I add hosts records to the DNS resolver?
Regards Mike

Cisco ASA 5505 Rule

I have an ASA 5505 router. I have configured most of the rules, but have had assistance from online forums and outside consultants
configuring some rules. There is one in my configuration that I do not understand, and I do not remember entering it myself. The rule is blocking traffic
when a server on the private side tries to send http traffic to itself. Not sure what the purpose of the rule is or why it is there.
When I click on rule 35, it highlights both 35 and 36.
#   Type       Source destination service interface address service DNS Rewrite Max TCP   Ebbronic Limit Max UDP... Randomize Seq #
35 Dynamic any     <blank>     <blank> inside      inside   <blank> <blank>     Unlimited Unlimited     Unlimited <checked>
36 <blank> <blank> <blank>   <blank> outside    outside <blank> <blank>     Unlimited Unlimited     Unlimited
I am hesitant to delete the rule until I know the purpose.
I am not sure but the rule below may be what is generatig it (I am not familiar withg command line commands):
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 209.34.249.193 1
Can someone tell me whay this is for, or what it is doing?

I used Packet Tracer (a GUI tool) to determine which NAT rule was blocking the traffic I am trying to allow. It was rule 35 & 36 as shown in my original post. I attempted to correlate the gui rule to the cli. I don't know if i picked the correct cli rule or not. That is why I showed both of them.
Since rule 35 is dynamic, I tried:
Result of the command: "show run dynamic"
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
This rule is part of the VPN setup I think, which would make sense because I had a consultant set it up for me.
Result of the command: "show run global"
global (inside) 1 interface
global (outside) 1 interface
global (outside) 199 xxx.xxx.249.200
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 199 access-list Mail
nat (inside) 1 0.0.0.0 0.0.0.0
Result of the command: "show run static"
static (inside,outside) tcp xxx.xxx.235.13 ftp 192.168.1.20 ftp netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.249.200 smtp 192.168.1.119 smtp netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.249.196 www 192.168.1.100 www netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.249.197 www 192.168.1.101 www netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.249.198 www 192.168.1.102 www netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.249.199 www 192.168.1.103 www netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.1 https 192.168.1.109 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.2 https 192.168.1.110 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.3 https 192.168.1.111 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.4 https 192.168.1.112 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.5 https 192.168.1.113 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.6 https 192.168.1.114 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.7 https 192.168.1.115 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.8 https 192.168.1.116 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.9 https 192.168.1.117 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.10 https 192.168.1.118 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.11 https 192.168.1.119 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.12 https 192.168.1.120 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.13 https 192.168.1.121 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.13 www 192.168.1.121 www netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.14 ftp 192.168.1.122 ftp netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.14 ftp-data 192.168.1.122 ftp-data netmask 255.255.255.255
static (inside,inside) tcp xxx.xxx.235.6 1443 192.168.1.40 1443 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.235.5 1443 192.168.1.40 1443 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.249.197 1080 access-list Nat1
static (inside,outside) tcp xxx.xxx.249.198 1080 access-list Nat2
static (inside,outside) tcp xxx.xxx.249.198 2080 access-list Nat4
static (inside,outside) tcp xxx.xxx.249.197 2080 access-list Nat3
static (inside,outside) tcp xxx.xxx.249.199 1080 access-list Nat5
static (inside,outside) tcp xxx.xxx.249.199 2080 access-list Nat6
static (outside,inside) 192.168.1.50 xxx.xxx.249.200 netmask 255.255.255.255
static (inside,inside) xxx.xxx.249.197 192.168.1.50 netmask 255.255.255.255
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 199 access-list Mail
nat (inside) 1 0.0.0.0 0.0.0.0
I included other cli but changes the ip addresses.
I am trying to allow my server behind the firewall to send http traffic to itself. Currently blocked by rule 35&36 in the gui.

Cannot access a website, from one interface, that is hosted behind a different interface; on same appliance

Hello,
I’m working with a network that has been setup with a wireless interface for wifi, an inside interface for a staff lan and of course the outside interface.
There is a webserver hosting a website on the inside of the staff network/subnet.
For the sake of argument:
Staff’s subnet is using: 192.168.1.0
Wireless is using: 10.16.0.0.
The website is hosted on a static IP on the 192.168.1.10 and is NAT’d out as X.X.X.10.
Wireless users are using an external DNS server and when they try and connect to the site’s website on the, public address, X.X.X.10 IP it fails. Everyone outside of the building can access the site fine. Everyone on the Staff Lan are also fine, thanks to a local DNS server and being able to directly access 192.168.1.10; however if they hit the X.X.X10, it also fails or doesnt rewrite. Access Rules are in place for HTTP/HTTPS etc for the webserver. There are no extra rules allowing the wireless users on the 10.16.0.0 network to access the server specificially though. I’m wondering if that’s the key issue with the setup. I’ve ran a packet trace from the wireless network pointing to the webserver and each way I run it, it says Config Implicit Rule. I just wonder if it needs to be setup on a different interface. I’ve only have 2 rules for the inside and two rules for the wireless; the typical any ip any and any ip deny rules. Everything else is configured on the Outside Interface for access to different servers etc.
Its setup like this (Excuse my text diagram):
{Internet }-----------Firewall-------- Staff Lan: 192.168.1.0 (Inside interface; Webserver resides on this Subnet)
                              |
                              |
       Wireless Lan(Wireless Interface)
                      10.16.0.0
ASA Version 8.0(5)
Security levels of Inside and Wireless interfaces are set to 100.
I have enabled DNS Rewrite on the NAT.
static (inside,outside) X.X.X.10 obj-192.168.1.10 netmask 255.255.255.255 dns
And the Inspection Policiy looks like this:
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
Perhaps there are just more pieces to the puzzle and not everything is in place for the DNS Rewrite to even work.
Any help, or pointing me in the right direction etc, would be very appreciated.
Thank you,
Mike

Hi,
To my understanding the DNS rewrite should work as you have the "dns" parameter for the server Static NAT towards outside and also have the "inspect dns" enabled. DNS rewrite should work for hosts that do DNS query to a server thats on the public network. In other words when the users on the wifi ask a public DNS server for the public IP address of the server the ASA should rewrite the public IP address to the private IP address before the DNS reply reaches the wifi host.
I dont see a reason why the "packet-tracer" would fail. On the other hand if you are using the public NAT IP address as the destination IP address it probably doesnt show correctly and you cant really test the DNS rewrite thing with the "packet-tracer"
If you want to really check whats happening with regards to the DNS operation I would suggest configuring a packet capture on the ASA for the DNS traffic on the wifi interfaces and see if the ASA actually changes the DNS replies before they reach the host doing the DNS query
If you could share the configurations (except for possible sensitive information) and the "packet-tracer" commands and output with us we could go through those and see if there is any problems there. I can also help you with the packet capture configurations if needed.
- Jouni

ASA 5500 model default setting

Dear All, I saw below default configuration showed in my new 5505 and 5515 ASA. May i know what is the function of those configuration and does it command affecting of my ASA firewall?
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global

Hi,
To my understanding the Inspections purpose is both enable certain applications/protocols that are dynamic in nature to work through your firewall without resorting to opening up the firewall too much. They are also used to set certain restrictions on certain type of connections.
The most common ones in constant use would probably be (for me atleast)
ICMP Inspection (not enabled by default) which helps you allow ICMP through the firewall and automatically allow the ICMP Echo reply back without allowing it through the firewall in a separate ACL. It also makes sure that only valid ICMP return messages are allowed through the firewall
DNS Inspection sets some parameters for the DNS traffic and also makes sure that only one DNS reply is allowed through the firewall. Its also needed you are going to use the "dns" parameter in the NAT configurations to enable ASA so a DNS rewrite.
FTP Inspection enables the ASA to automatically allow the FTP Data connections which are created in addition to the initial Control connection. Therefore you dont need to allow anything but the FTP Control connection (TCP/21) to form through the firewall and the ASA will use the FTP Inspection to automatically allow through the Data connection that will be formed.
For more information I would suggest reading the ASA documentation. For example the Command Reference and Configuration Guide
Here is a link to the Command Reference and the different "inspect" commands
http://www.cisco.com/en/US/docs/security/asa/command-reference/i2.html
Here is a section in the Configuration Guide about inspections
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/inspect_overview.html
I have not even fully read them myself.
Generally there is not much need to touch the above settings. Sometimes Voice/Video related inspections need to be disabled as they might actually cause problems. I have also had to disable the ESMTP inspection sometimes.
- Jouni

How to enable request going and coming with same isp

hi guys,
suppose i am hving a url kaveriowa.kaveri.com reistered with ip 215.22.22.24 . now my internal user type this url in web browser having proxy in 172.26.7.45 natted with 215.22.22.26 . the request goes outside and resolve by dns but does not get routed back to same ISP pool of 215.22.22.0/27
it may be our end firewall is blocking request or routing issue from isp end.
regards
rajat

yeah I guess DNS rewriting will fix your issue, if you still want to use an external DNS server. Strictly speaking however your traffic will not leave the outside interface, just your DNS requests for
kaveriowa.kaveri.com do.
It might probably be easier to do hairpining :
static (inside,inside) 215.22.22.24 netmask 255.255.255.255
please rate if usefull

How do I setup a DNS record to point to an internal IP with a port.

I am trying to setup a DNS entry on my AD server to point to a web sever that I have setup to run certain services. All of these services run through IIS on port 82 for example service A is internally 192.168.0.1:82/info/login and service B is 192.168.0.1:82/tech/login.
I am trying to give these services easy to use names like for example info.mycompany.com and tech.mycompany.com so that it is easy to access for the employees but I am obviously missing something because I have had no luck setting up anything. My
company is still using SBS 2003 as it's AD and DNS server so I am working with flint and bear skin here.
I am also trying to do the same thing for the external access to these services but where as I have the internal address for these services I have the external static IP. When using the external IP with the port from outside the network everything
works fine but I would like for it to to have a simple name identical to the internal names but accessible from the outside. I frankly feel out of my depth on both of these issues and I would really appreciate any help that can be lent. Thank you.

You cant set a dns record (that would be used by a browser) to point to an ip and port, srv records can but that requires the application to look them up.
To have info.mycompany.com point to 192.168.0.1:82/info/login you
would add a cname or A record to the dns pointing to that IP, then in IIS you would assign that dns name to the host headers. Also in IIS you would need to use
URL rewrite plugin with this you would setup a redirect for that host header {HTTP_HOST} to point to that link.

Cisco ACE - dynamic header rewrite

Can the ACE do dynamic http host and URL rewrites using an action list and variables?
I need to rewrite a URL like this...
http://*.domain.com rewritten to http://www.domain.com/user1/*
For example...
http://mikeyd.domain.com would be rewritten to http://www.domain.com/user1/mikeyd
... and so on for a large number of user names at the beginning of the URL string.
I am trying to find the action-list syntax for header rewrite and having trouble figuring this out. Would a redirection be a better option?
Thanks, in advance, for any help with this.

It's more related to disaster recovery planning than ACE configuration
The cleanest way is to use L2 extension.
Otherwise you can use VMWare SRM to change the ip addresses of your VMs, or run an OSPF process and replicate all the subnets and put it in the "shutdown state" (or announcing it with a very high cost, proximity routing will do the rest - ACE module can do this for the VIPs with OSPF route health injection, ACE4710 doesn't support RHI but on the upstream router you can define an IP SLA probe and perform conditionnal redistribution), or use a dummy VRF with all your subnets and when enabling DRP, perform route leaking... use NAT with DNS-based failover etc...
There is no generic answer to your problem.

How can I get my Tiger Sever to look at itself as a DNS Server

I have installed Tiger server remotely and have no GUI.
I want to change the DNS Server ip address with that Server
If I had access to the System Prefs/Network panel I could simply make the change.
Can I do this via a command line in Terminal ??
Thanks

Two options come to mind.
First is networksetup, the command-line interface to network settings:
networksetup -setdnsservers "Built-in Ethernet 1" 127.0.0.1
(you can add additional name servers in order if you want).
The other is to just rewrite /etc/resolv.conf which stores the active name server settings (although this might get rewritten at boot).

DNS Doctoring issue - ASA 5540

I am in the process of setting up a segrated Guest Wifi network in my office and in doing so realized that I can not access my NAT'd externally facing web servers through this network. This guest network is using 8.8.8.8 for DNS and is properly resolving the external IP for the servers, but the pages refuse to load. If I go directly to the Private IP of the servers, the pages load. These NAT'd servers are on the DMZ interface of my ASA, whereas the "Guest network" resides on the Internal interface.
I came accross this: "By default the Cisco ASA will not allow packet redirection on the same interface (outside) which is tried by the guest client trying to access the DMZ server by its NAT’d public IP address.", which perfectly describes my issue. The article goes on to say that my checking the "Translate the DNS replies that match the translation rule" box (enable DNS Doctoring) in the NAT rule, the ASA would essentially rewrite the external IP to the private IP. This however is not working and the pages still won't come up.
Am I not understanding this right? What am I missing from this set up?

Hello Tom,
If the server is on a different interface than the clients why don't you simple do a static one to one from the private to the global IP address.
EX
static (dmz,inside) public ip private ip
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com

Rewrite PORTAL URL

Hey ,
I have a Strange Issue here . Our BI Production Landscape Consists of PORTAL and BI- ABAP ( CI + 2 App ) .
The Hostname "bi.ril.com" is on DNS which POints to CI(ABAP) . There is a Web Dispatcher Configured on CI Which is Supposed to Route HTTP Requests to APP Servers for Load Balancing .
Now , as per the LINK http://help.sap.com/saphelp_nw04s/helpdata/en/5f/7a343cd46acc68e10000000a114084/frameset.htm ,
I have Performed the Mapping of URLs based on the SAP Logon Group and Request are getting ROuted to Application Servers.
The Issue now is , When a HTTP Request goes to an APP Server the URL Generated is Somewhat like biapp##.ril.com which is Not on DNS .
I can Put it on the DNS , but then the URL just wont be that Frindly . I am ready now the host these names on DNS .
The Problem is , I want the CLIENT BROWSER to Display the URL as " bi.ril.com " , even though Internally it should be calling an APP Server .
Is this EVEN Possible ???? I have Gone throught URL Rewriting , but then this feature only Rewrites the Prefixes and not the Entire URL .
Regards,
Ashish .A. Poojary
Edited by: Ashish Poojary on Mar 28, 2011 8:38 AM

Hi,
The Issue now is , When a HTTP Request goes to an APP Server the URL Generated is Somewhat like biapp##.ril.com which is Not on DNS
Do you speak of the URL generated from the web dispatcher to be sent to the app server ?
If yes, I don't get this result on my system and I don't understand how you can get this.
The URL sent to the appserver looks like http://appserver.domain.country/url
The URL seen from the browser looks like https://webdispatcher.domain.country/url
Regards,
Olivier

Static NAT to inside DNS address

I'm struggling to address an issue where as a policy I have internal virtualized/clustered servers on reserved DHCP addresses on a separate VLAN, and occasionally there is a situation where by the guests change hosts and end up on another VLAN (for whatever reason) or with a different IP address.
This isn't an issue for my internal users because all our communications works off DNS addresses, but I have a natted FTP server that whenever it changes IP/VLAN, i have to manually change the natted address on my ASA.
ex
static (inside,Outside) 100.100.100.101 192.168.100.39 netmask 255.255.255.255
would like to use a DNS address of ftp.domainname.com instead of the IP address so that if the inside IP changes I don't have to rewrite the static rule every time.
Is there any facility to do this with the ASA?
thanks

Hello Robert,
Not possible to do it on the ASA. You will need to use the ip address on the Nat statements.

Basic Authentication SSO, Web proxy, Rewriter issue

I have iPS 3.0 SP4.
I have configured the Gateway to do single signon for HTTP Basic Authentication. My external application also requires a web proxy to connect, so I added the proxy to the "DNS Domain and Subdomains" list. My "Rewrite all URLs Enabled" is not checked.
I added a link to the external application in the Bookmark channel. When I click on the link, a new browser window is launched, SSO happened (verified from iwtGateway log), but the contents kept going back to the Portal Desktop instead of the external aplication.
I found out that the external application is using the URL location information of the browser to extract the protocol, host and port info to construct the target page using JavaScript. By the Gateway rewriting the URL, the JavaScript is incorrectly using the Gateway host and port, instead of the application host and port.
How do I setup the Gateway to do Basic Auth SSO, use a web proxy to fetch the content, but do NOT do URL rewriting? Our users have access to the application directly, so we do not need to run the app behind the Gateway. But I need to use the Gateway to to the SSO. Also, since the "DNS Domain and Subdomains" list is used for both proxy definition and rewriting, how do I make them mutually exclusive - i.e. want to use web proxy but do not want rewriting?
Can you also suggest other ways of doing Basic Authentication SSO without using the Gateway? I have seen some discussions on using the Authenticator class and a separate Servlet. Please post me an example.
Thanks.

Yes, I have already tried the option you suggested. I had previously created a JSP channel that has a link invoking my servlet. This servlet, reads the user profile from an external LDAP and sends the Authorization header on a URLConnection object, just like you described it.
However, I cannot just simply render the returned content on the InputStream of the URLConnection. The browser/client is actually connected to the servlet - so presenting the images and links directly will be relative to the servlet machine, not the external app. So the images and links do not work.
If I do a request.sendRedirect(...), the external application will ask for the auth header again. The browser has not captured the auth header that was sent earlier by the servlet.
How do you tell the browser to keep the auth header for all subsequent request? Is the Gateway SSO approach telling the browser to keep sending the auth header, or is the Gateway programmatically adding the auth header for each request?

DNS rewrite

Similar Messages

Maybe you are looking for