topic That's what I don't in Network Security

DNS Doctoring on ASA from DMZ

Phil Bradley — Tue, 12 Mar 2019 05:30:54 GMT

I have looked at the following article on DNS doctoring and while it makes sense, it doesn't cover my scenario.

https://supportforums.cisco.com/document/145401/dns-doctoring-and-u-turning-asa-when-and-how-use-it

Basically I have an exchange server that is in my inside network and I have a NAT on the exchange box to the outside currently. I also have a DMZ area for a wireless gust network defined on the ASA. When a smartphone connects to the guest wireless their exchange email stops syncing because U-turn is disabled on the firewall be default. Is it possible to use DNS doctoring on the Public DMZ to translate my exchange box to its inside address?

Yes it is. Try adding the

Collin Clark — Tue, 17 Feb 2015 19:32:45 GMT

Yes it is. Try adding the keyword dns to the end of your NAT translation.

Ok, so I have the following

Phil Bradley — Tue, 17 Feb 2015 19:42:50 GMT

Ok, so I have the following NAT's:

static (inside,outside) tcp interface https 192.168.0.2 https netmask 255.255.255.255 dns

static (inside, public) 192.168.0.2 192.168.0.2 netmask 255.255.255.255

The machines in the public DMZ still get the outside interface IP when looking up my exchange box. It's not doctoring the request from the public to the exchange box.

Is 'public' your DMZ

Collin Clark — Tue, 17 Feb 2015 21:17:46 GMT

Is 'public' your DMZ interface? If so, you don't need static (inside, public) 192.168.0.2 192.168.0.2 netmask 255.255.255.255

That did it! So how does the

Phil Bradley — Tue, 17 Feb 2015 21:29:35 GMT

That did it! So how does the public addresses get translated to the inside exchange box or do they?

Hi Phil, Lets assume that

rizwanr74 — Tue, 17 Feb 2015 21:33:17 GMT

Hi Phil,

Lets assume that your outside interface ip address is: 9.9.9.9

static (inside, public) 9.9.9.9 192.168.0.2 netmask 255.255.255.255

Hope this helps.

thanks

Rizwan Rafeek.

That's what I don't

Phil Bradley — Tue, 17 Feb 2015 21:42:35 GMT

That's what I don't understand. The only public DMZ NAT that I have is dynamic to the outside interface.

nat (Public) 10 0.0.0.0 0.0.0.0

I don't have any other nat to the public DMZ interface.

Traffic from the DNS gets

Collin Clark — Tue, 17 Feb 2015 21:42:39 GMT

Traffic from the DNS gets read by the ASA and would normally be routed out to the internet, but the ASA does a lookup and sees that there is a translation for it. It then looks up the NAT and routes it to the inside IP. Glad to hear it's working.

Ah, I see. So the NAT it is

Phil Bradley — Tue, 17 Feb 2015 21:44:39 GMT

Ah, I see. So the NAT it is using is the one that has the DNS re-write now?