https://community.cisco.com/t5/network-security/dns-rewrite-on-asa-5510/m-p/2597150#M202734 <P>We have a guest wireless network configured that grants internet access only to users. The guest traffic is coming from a port on our 5508 WLC directly to the "guest"&nbsp;interface on our ASA 5510 (security level 50). The clients get DHCP from the WLC&nbsp;and DNS from external (ISP) DNS servers. Everything works great with one exception. We host our company website on the internal network ("inside" interface -&nbsp;security level 100). We need our guests to be able to access this internal web server.</P><P>After doing some research, it looks like I can accomplish this with DNS rewrite.</P><P>I would greatly appreciate configurations recommendations and command syntax for both the NAT command and ACL entry.</P><P>Thank you,</P><P>John</P> Tue, 12 Mar 2019 05:11:14 GMT John Woods 2019-03-12T05:11:14Z https://community.cisco.com/t5/network-security/dns-rewrite-on-asa-5510/m-p/2597150#M202734 <P>We have a guest wireless network configured that grants internet access only to users. The guest traffic is coming from a port on our 5508 WLC directly to the "guest"&nbsp;interface on our ASA 5510 (security level 50). The clients get DHCP from the WLC&nbsp;and DNS from external (ISP) DNS servers. Everything works great with one exception. We host our company website on the internal network ("inside" interface -&nbsp;security level 100). We need our guests to be able to access this internal web server.</P><P>After doing some research, it looks like I can accomplish this with DNS rewrite.</P><P>I would greatly appreciate configurations recommendations and command syntax for both the NAT command and ACL entry.</P><P>Thank you,</P><P>John</P> Tue, 12 Mar 2019 05:11:14 GMT https://community.cisco.com/t5/network-security/dns-rewrite-on-asa-5510/m-p/2597150#M202734 John Woods 2019-03-12T05:11:14Z https://community.cisco.com/t5/network-security/dns-rewrite-on-asa-5510/m-p/2597151#M202735 <P>Hi,</P><P>Let me assume these parameters to describe this for you :-</P><P>Web server(inside):- 10.2.2.3</P><P>Users:- DMZ[172.16.0.0/24]</P><P>Natted IP for Web Server:- 2.2.2.2</P><P>You simply need to use this NAT statement:-</P><P>object network DMZ-Inside</P><P>host 10.2.2.3</P><P>nat (DMZ,inside) static 2.2.2.2</P><P>Access list should allow the traffic to the private IP from the DMZ inbound to inside interface.</P><P>Thanks and Regards,</P><P>Vibhor Amrodia</P><P>&nbsp;</P> Fri, 05 Dec 2014 14:58:04 GMT https://community.cisco.com/t5/network-security/dns-rewrite-on-asa-5510/m-p/2597151#M202735 Vibhor Amrodia 2014-12-05T14:58:04Z https://community.cisco.com/t5/network-security/dns-rewrite-on-asa-5510/m-p/2597152#M202736 <P>Well, the short version for configuring DNS rewrite for the webserver is to add the DNS keyword to the end of the existing NAT statement for that webserver.</P><P>You will then need to also allow traffic from the wireless clients to the webserver private IP on the ASA guest interface.</P><P>--</P><P>Please remember to select a correct answer and rate helpful posts</P> Fri, 05 Dec 2014 21:45:50 GMT https://community.cisco.com/t5/network-security/dns-rewrite-on-asa-5510/m-p/2597152#M202736 Marius Gunnerud 2014-12-05T21:45:50Z https://community.cisco.com/t5/network-security/dns-rewrite-on-asa-5510/m-p/2597153#M202737 <P>Hi,</P><P>Also , if you use the "DNS" keyword on the ASA with the STatic NAT , you need to make sure that the DNS queries actually go through the ASA device and it will not work if you have an internal DNS server defined on the clients on the same subnet or behind the same interface.</P><P>Thanks and Regards,</P><P>Vibhor Amrodia</P> Sat, 06 Dec 2014 06:04:35 GMT https://community.cisco.com/t5/network-security/dns-rewrite-on-asa-5510/m-p/2597153#M202737 Vibhor Amrodia 2014-12-06T06:04:35Z