https://community.cisco.com/t5/network-security/asa-dns-redirect-forward/m-p/2225086#M416516 <HTML><HEAD></HEAD><BODY><P>ASA Allows any kind of source and destination NAT/PAT as long as it makes sense)). What are trying to accomplish? </P><P>Assuming that you're trying to redirect all the client's DNS requests to the 8.8.8.8 and 192.168.1.1 is the IP of the ASA's inside interface, nat rule woul look smth like this:</P><P></P><P><SPAN style="text-decoration: line-through;">object network GOOGLE_DNS</SPAN></P><P><SPAN style="text-decoration: line-through;"> host 8.8.8.8</SPAN></P><P><SPAN style="text-decoration: line-through;">object network LAN</SPAN></P><P><SPAN style="text-decoration: line-through;"> subnet 192.168.1.24</SPAN></P><P><SPAN style="text-decoration: line-through;">object service DNS</SPAN></P><P><SPAN style="text-decoration: line-through;"> service tcp destination eq 53</SPAN></P><P></P><P><SPAN style="text-decoration: line-through;"><STRONG>nat (inside,outside) source static LAN LAN destination static interface GOOGLE_DNS</STRONG> service DNS</SPAN></P><P></P><P>This way it would be better:</P><P></P><P>object network GOOGLE_DNS</P><P>host 8.8.8.8</P><P>nat (outside,inside) static interface service tcp dns dns</P><P></P><P><STRONG> </STRONG></P><PRE><STRONG> <BR /></STRONG></PRE></BODY></HTML> Wed, 26 Jun 2013 17:33:19 GMT Andrew Phirsov 2013-06-26T17:33:19Z https://community.cisco.com/t5/network-security/asa-dns-redirect-forward/m-p/2225085#M416515 <P>Hello,</P><P><BR style="color: #323d4f; font-family: 'Lucida Grande', 'Trebuchet MS', Helvetica, Arial, sans-serif; line-height: 18.1875px; background-color: #ececec;" /></P><P>I have dhcp enabled on my asa which hands out private ip to all inside clients. as part of this, it also handsout the dns server which is the address of the inside interface</P><P><BR style="color: #323d4f; font-family: 'Lucida Grande', 'Trebuchet MS', Helvetica, Arial, sans-serif; line-height: 18.1875px; background-color: #ececec;" /></P><P>What I want to do is, create a static nat or port forward which does the following </P><P><BR style="color: #323d4f; font-family: 'Lucida Grande', 'Trebuchet MS', Helvetica, Arial, sans-serif; line-height: 18.1875px; background-color: #ececec;" /></P><P>if the source is 192.168.1.0/24 and destination is 192.168.1.1 with destination port number of 53 then rewrite the destination address to 8.8.8.8</P><P><BR style="color: #323d4f; font-family: 'Lucida Grande', 'Trebuchet MS', Helvetica, Arial, sans-serif; line-height: 18.1875px; background-color: #ececec;" /></P><P>This way I will hide the dns server form internal client. lots of home routers as cheap as £10 can do this, why does the cisco can not do this and charging you a premium ?</P><P><BR style="color: #323d4f; font-family: 'Lucida Grande', 'Trebuchet MS', Helvetica, Arial, sans-serif; line-height: 18.1875px; background-color: #ececec;" /></P><P>Thanks</P> Fri, 21 Feb 2020 12:54:55 GMT https://community.cisco.com/t5/network-security/asa-dns-redirect-forward/m-p/2225085#M416515 Random44F 2020-02-21T12:54:55Z https://community.cisco.com/t5/network-security/asa-dns-redirect-forward/m-p/2225086#M416516 <HTML><HEAD></HEAD><BODY><P>ASA Allows any kind of source and destination NAT/PAT as long as it makes sense)). What are trying to accomplish? </P><P>Assuming that you're trying to redirect all the client's DNS requests to the 8.8.8.8 and 192.168.1.1 is the IP of the ASA's inside interface, nat rule woul look smth like this:</P><P></P><P><SPAN style="text-decoration: line-through;">object network GOOGLE_DNS</SPAN></P><P><SPAN style="text-decoration: line-through;"> host 8.8.8.8</SPAN></P><P><SPAN style="text-decoration: line-through;">object network LAN</SPAN></P><P><SPAN style="text-decoration: line-through;"> subnet 192.168.1.24</SPAN></P><P><SPAN style="text-decoration: line-through;">object service DNS</SPAN></P><P><SPAN style="text-decoration: line-through;"> service tcp destination eq 53</SPAN></P><P></P><P><SPAN style="text-decoration: line-through;"><STRONG>nat (inside,outside) source static LAN LAN destination static interface GOOGLE_DNS</STRONG> service DNS</SPAN></P><P></P><P>This way it would be better:</P><P></P><P>object network GOOGLE_DNS</P><P>host 8.8.8.8</P><P>nat (outside,inside) static interface service tcp dns dns</P><P></P><P><STRONG> </STRONG></P><PRE><STRONG> <BR /></STRONG></PRE></BODY></HTML> Wed, 26 Jun 2013 17:33:19 GMT https://community.cisco.com/t5/network-security/asa-dns-redirect-forward/m-p/2225086#M416516 Andrew Phirsov 2013-06-26T17:33:19Z https://community.cisco.com/t5/network-security/asa-dns-redirect-forward/m-p/2225087#M416517 <HTML><HEAD></HEAD><BODY><P>MANY THANKS</P></BODY></HTML> Fri, 12 Jul 2013 17:52:29 GMT https://community.cisco.com/t5/network-security/asa-dns-redirect-forward/m-p/2225087#M416517 Random44F 2013-07-12T17:52:29Z https://community.cisco.com/t5/network-security/asa-dns-redirect-forward/m-p/2225088#M416518 <P>I ran across this post today and it helped me solve a similiar problem. This command works great except it specifies TCP, it should be UDP and the default ASA service for DNS is actually called domain.</P><P>This revised command should get you what you need:</P><P>object network GOOGLE_DNS</P><P>host 8.8.8.8</P><P>nat (outside,inside) static interface service udp domain domain</P> Fri, 06 Jun 2014 19:18:37 GMT https://community.cisco.com/t5/network-security/asa-dns-redirect-forward/m-p/2225088#M416518 user83473973 2014-06-06T19:18:37Z https://community.cisco.com/t5/network-security/asa-dns-redirect-forward/m-p/4906327#M1103460 <P>&lt;REMOVED POST&gt;</P> Wed, 16 Aug 2023 13:40:48 GMT https://community.cisco.com/t5/network-security/asa-dns-redirect-forward/m-p/4906327#M1103460 johnlloyd_13 2023-08-16T13:40:48Z