topic Found the issue. The DNS in Network Security

DNS Rewrite/Translate DNS reply issue on ASA 5510

SIMMN — Tue, 12 Mar 2019 05:42:13 GMT

I have two pairs of ASA 5510 running 8.4(6) for two different networks. I configured 1-TO-1 NAT rule on each pair for internal server and enabled option "Translate DNS reply". However it seems like the rule is working on one pair but not the other.

Here is semi-detail of the setup (8.8.8.8 is used as DNS server for both setup on client.).

For first pair,

The internal server is @ 172.16.1.100; the client is @ 172.16.2.100. Their default gateway is 172.16.x.1 on the same core switch/router, which will route outbound traffic to ASA lan interface @ 10.1.1.1. The ASA mapped server to 1.2.3.4 on internet with FQDN web1.abc.com.

If I configured 8.8.8.8 as dns server on client and then try to reach web1.abc.com, I still got resolved to 1.2.3.4 instead of 172.16.1.100 as expected with turning on "Translate DNS reply" inside NAT rule.

For the second pair,

The server is @ 172.16.1.100 and connected to ASA dmz interface. The client is @ 172.16.2.100 on the LAN interface. ASA is the default gateway. ASA mapped server to 1.2.3.5 on internet web2.abc.com.

If I configured 8.8.8.8 as dns server on client and then try to reach web2.abc.com, the FQDN is resolved to 172.16.1.100 as expected.

So I guess will the difference between two setup break the functionality of DNS Rewrite/Translate DNS reply?

Please advise.

Hi,Are the NAT and Service

Vibhor Amrodia — Fri, 27 Mar 2015 13:12:32 GMT

Hi,

Are the NAT and Service-policy on the ASA device which is not working correctly ?

Can you post the relevant configuration ?

Thanks and Regards,

Vibhor Amrodia

Regardless of if the ASA is

Marius Gunnerud — Sat, 28 Mar 2015 21:14:11 GMT

Regardless of if the ASA is the default gateway or the L3 switch is the default gateway, the ASA should rewrite the DNS request. If both ASA configuration are exaclty the same, I would look into a possible routing issue on the switch for the first pair.

Please remember to select a correct answer and rate helpful posts

They are not 100% the same

SIMMN — Mon, 30 Mar 2015 11:39:12 GMT

They are not 100% the same actually. The first pair has client and server connected to the same physical interface while the second pair has client on LAN and server on DMZ physical interfaces.

Here is the configure I have

SIMMN — Mon, 30 Mar 2015 11:51:33 GMT

Here is the configure I have on the first ASA pair.

object network 172.16.1.100-1to1-NAT

host 172.16.1.100
nat (LAN,INTERNET) static 1.2.3.4 dns

For the second pair.

object network 172.16.1.100-1to1-NAT

host 172.16.1.100
nat (DMZ,INTERNET) static 1.2.3.4 dns

Let me know if further is required.

Hi,I think you actually

Vibhor Amrodia — Mon, 30 Mar 2015 11:56:26 GMT

Hi,

I think you actually answered the query in your previous post.

As per your description , First Pair , has client and server connected to the same physical interface. If this is the case , the DNS query would never even traverse the ASA device and hence the rewrite will never work.

For it to work , you need to have DNS server and Client behind different interface or in different broadcast domains.

Thanks and Regards,

Vibhor Amrodia

I mean the web server not the

SIMMN — Mon, 30 Mar 2015 17:42:08 GMT

I mean the web server not the DNS server.

In both my setup, I use 8.8.8.8 as the DNS server.

What I meant is if the dhcp

Marius Gunnerud — Mon, 30 Mar 2015 19:33:12 GMT

What I meant is if the dhcp setup is the same, in that both use 8.8.8.8 as the dns server then the DNS query will transit the ASA and the ASA should rewrite the DNS reply to the private IP of the server. This means that you will also need to make sure that traffic from the local LAN to the private IP of the server needs to be permitted in the ACL on the LAN interface if that traffic goes through the ASA again to reach the server (if it isnt already permitted that is).

Please remember to select a correct answer and rate helpful posts

Found the issue. The DNS

SIMMN — Mon, 30 Mar 2015 19:57:46 GMT

Found the issue. The DNS Inspection was not turned on on first pair... Now I have to do a change request to enabled DNS inspection...