Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Slow access to the server when it goes out and comeback through ASA 1

Status
Not open for further replies.
rjanakan

rjanakan

Technical User
Sep 2, 2004
9
US
Hi,

I have an ASA 5510 installed in my environment. I have a application box which is behind the ASA needs to access the webserver which is also behind the ASA. The application box is configured to point to the URL rather than the local IP. For application configuration reasons we want to keep it in that way. It works faster when I used the local private IP. But when I give the URL, the application box times out. So looks like when the traffic goes out of ASA to Internet, it's getting resolved through DNS and when it hits ASA it's getting NAT-ed and processed again.

Is this common with ASA or any FW?
I'd appreciate any inputs on this.
 
Sort by date Sort by votes
Well merely use internal dns to resolve the url to the private IP address.
 
Upvote 0 Downvote
Hi,

Thanks for your input. Yes, I had it working using the hosts file to bypass the DNS. But I'd like to know the reason, if it's a common behavior with ASA or I'm missing some configuration.

Thanks,
Janakan Rajendran
 
Upvote 0 Downvote
Its the ASA normal behavior, basically you were sending traffic out the firewall and trying to make it come back in. Thats not what the firewall is designed for.
 
Upvote 0 Downvote
Did you add an access list on the dmz interface that allowed access from the DMZ server to your internal DNS servers on port 53?
 
Upvote 0 Downvote
Hi,

I just have 5 servers sitting behind ASA in my data center and pointing to ISP's DNS. So no DMZ and internal DNS.

Janakan Rajendran
 
Upvote 0 Downvote
Easy fix. I would guess you have some static statements in your firewall. Re-add the static statements with the keyword dns


So looks like this

static (inside,outside) 65.15.25.11 192.168.0.5 netmask 255.255.255.255 dns

What this will do is rewrite DNS replies traveling through the firewall that match 65.15.25.11 to 192.168.0.5.

Check this link out:


with 7.0 the PIX/ASA can also send traffic back out the same interface with the intra-interface command:


 
Upvote 0 Downvote
Intra-interface only works on encrypted traffic, or at least its how the documents read.
 
Upvote 0 Downvote
Thanks Man, I didn't have a clue it worked for clear text traffic as well. That documentation was a lot better than the the other as I was led to believe it was only for encrypted traffic.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
Nitta84
  • Locked
  • Question
navigation slow and tcp syc/ack drop
Replies
0
Views
569
Nitta84
Nitta84
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
823
intel233
intel233
ChrisFairley
  • Locked
  • Question
Downloads failing through ASA 5520
Replies
1
Views
245
iggsterman
iggsterman
gkreg
  • Locked
  • Question
asa 5500-x url filtering
Replies
0
Views
562
gkreg
gkreg

Part and Inventory Search

Sponsor

Back
Top