https://community.cisco.com/t5/network-security/asa-static-pat/m-p/1548775#M615264 <HTML><HEAD></HEAD><BODY><P>thanks KS , I was reading the document where below is mentioned .</P><P><A href="http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml">http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml</A></P><P></P><P>"DNS rewrite is not compatible with static Port Address Translation (PAT) because multiple PAT rules are applicable for each A-record, and the PAT rule to use is ambiguous. "</P><P></P><P>can you please let me know exact meaning of above .though it says it is not compatible but does that mean it can be still used ? also what do we mean by "multiple PAT rules are applicable for each A-record"</P></BODY></HTML> Mon, 13 Dec 2010 06:58:05 GMT jvardhan29 2010-12-13T06:58:05Z https://community.cisco.com/t5/network-security/asa-static-pat/m-p/1548773#M615257 <P>hi</P><P></P><P>i would like to know if DNS doctoring is supported with static pat or only static nat .if it is supported with Static PAT does it support both (i.e interface as well as a free public ip ).below is an eg. in which i have mentioned the interface keyword in static statement.</P><P></P><P>static (inside,Public) tcp interface 25 10.10.1.1 25 dns</P> Mon, 11 Mar 2019 19:20:55 GMT https://community.cisco.com/t5/network-security/asa-static-pat/m-p/1548773#M615257 jvardhan29 2019-03-11T19:20:55Z https://community.cisco.com/t5/network-security/asa-static-pat/m-p/1548774#M615260 <HTML><HEAD></HEAD><BODY><P>DNS doctoring is supported only in static 1-1 NAT. Not is static PAT.</P><P></P><P>-KS</P></BODY></HTML> Sat, 11 Dec 2010 13:59:03 GMT https://community.cisco.com/t5/network-security/asa-static-pat/m-p/1548774#M615260 Kureli Sankar 2010-12-11T13:59:03Z https://community.cisco.com/t5/network-security/asa-static-pat/m-p/1548775#M615264 <HTML><HEAD></HEAD><BODY><P>thanks KS , I was reading the document where below is mentioned .</P><P><A href="http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml">http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml</A></P><P></P><P>"DNS rewrite is not compatible with static Port Address Translation (PAT) because multiple PAT rules are applicable for each A-record, and the PAT rule to use is ambiguous. "</P><P></P><P>can you please let me know exact meaning of above .though it says it is not compatible but does that mean it can be still used ? also what do we mean by "multiple PAT rules are applicable for each A-record"</P></BODY></HTML> Mon, 13 Dec 2010 06:58:05 GMT https://community.cisco.com/t5/network-security/asa-static-pat/m-p/1548775#M615264 jvardhan29 2010-12-13T06:58:05Z https://community.cisco.com/t5/network-security/asa-static-pat/m-p/1548776#M615266 <HTML><HEAD></HEAD><BODY><P>hi experts,</P><P></P><P>any idea on below question related to static pat .</P></BODY></HTML> Thu, 23 Dec 2010 10:32:02 GMT https://community.cisco.com/t5/network-security/asa-static-pat/m-p/1548776#M615266 jvardhan29 2010-12-23T10:32:02Z https://community.cisco.com/t5/network-security/asa-static-pat/m-p/1548777#M615269 <HTML><HEAD></HEAD><BODY><P>The ASA rewrites the DNS reply which contains the external IP address with the internal IP address. The DNS request and reply don't contain port numbers but one external IP address can translate to multiple inside addresses based on port numbers. This is the reason DNS doctoring is not supported.</P><P><BR />To make a server on the inside available on it's outside IP address you can create this static:</P><P><STRONG>static (inside,inside) tcp x.x.x.x 25 10.10.1.1 25 where x.x.x.x </STRONG>is the IP address of your outside interface</P><P><STRONG>global (inside) y interface</STRONG> where y matches the <STRONG>nat (inside) y</STRONG> statement</P><P></P><P>This way if a pc connects to the external IP address the destination address is translated to 10.10.1.1 and the source address is translated to the IP address of the inside interface. This is necessary because the returning traffic needs to go through the ASA.</P></BODY></HTML> Thu, 23 Dec 2010 10:41:44 GMT https://community.cisco.com/t5/network-security/asa-static-pat/m-p/1548777#M615269 jgraafmans 2010-12-23T10:41:44Z https://community.cisco.com/t5/network-security/asa-static-pat/m-p/1548778#M615271 <HTML><HEAD></HEAD><BODY><P>static (inside,Public) tcp interface 25 10.10.1.1 25 dns</P><P>static (inside,Public) tcp interface 80 10.20.1.1 80 dns</P><P>static (inside,Public) tcp interface 8080 10.30.1.1 8080 dns</P><P></P><P>e-mail servers A record is mail.abc.com</P><P>webserver's A record is www.abc.com</P><P>8080 server's A record is apache.abc.com</P><P></P><P>All resolving to the same interface IP address. Now the inside host wants to go to <A href="https://community.cisco.com/www.abc.com" target="_blank">www.abc.com</A> which the outside dns server resolves to the interface IP address with dns doctoring enabled which inside server will the ASA send the traffic to?</P><P></P><P>This simply is not supported.</P><P></P><P><SPAN>Dont' miss my ATE event: </SPAN><A class="jive-link-community-small" href="https://community.cisco.com/community/netpro/ask-the-expert">https://supportforums.cisco.com/community/netpro/ask-the-expert</A></P><P></P><P>-KS</P></BODY></HTML> Thu, 23 Dec 2010 16:42:02 GMT https://community.cisco.com/t5/network-security/asa-static-pat/m-p/1548778#M615271 Kureli Sankar 2010-12-23T16:42:02Z https://community.cisco.com/t5/network-security/asa-static-pat/m-p/1548779#M615274 <HTML><HEAD></HEAD><BODY><P>that is what i was looking for ! thanks to both .</P><P></P><P>i have one more question , some of the configuration related to dns are mentioned below but i was not able to find why is "dns" used here for ? </P><P></P><P>1st config</P><P></P><P>nat (Private) 1 0.0.0.0 0.0.0.0 dns</P><P>global (Public) 1 interface</P><P></P><P>2nd config</P><P></P><P>also is there any possibility that in the below config at any point of time nat (Public) 3 access-list MYACL dns , being used ? i.e is the below config relevant or irrelevant ?what is the use of dns keyword here ?</P><P></P><P>where MYACL access-list (consists of VPN clients network) coming to the ASA private network</P><P></P><P>nat (Public) 3 access-list MYACL dns</P><P>access-list MYACL permit ip 172.16.10.0 255.255.255.0 any</P><P>access-list NONAT permit ip any 172.16.10.0 255.255.255.0</P><P>nat (Private) 0 access-list NONAT</P><P>global (Public) 3 interface</P></BODY></HTML> Fri, 24 Dec 2010 10:15:29 GMT https://community.cisco.com/t5/network-security/asa-static-pat/m-p/1548779#M615274 jvardhan29 2010-12-24T10:15:29Z https://community.cisco.com/t5/network-security/asa-static-pat/m-p/1548780#M615277 <HTML><HEAD></HEAD><BODY><P>For both 1 and 2 the use of the keyword dns is the same.</P><P></P><P>Honestly the use of it when used with static makes more sense than used in the nat statement.</P><P></P><P>May be in case of dynamic nat and not dynamic pat, this makes sense where the dns replies coming back from a dns server that contains the global address, it will be changed to the real ip.</P><P></P><P>-KS</P></BODY></HTML> Fri, 24 Dec 2010 14:34:33 GMT https://community.cisco.com/t5/network-security/asa-static-pat/m-p/1548780#M615277 Kureli Sankar 2010-12-24T14:34:33Z https://community.cisco.com/t5/network-security/asa-static-pat/m-p/1548781#M615279 <HTML><HEAD></HEAD><BODY><P>thanks for clarification !</P></BODY></HTML> Mon, 27 Dec 2010 08:54:26 GMT https://community.cisco.com/t5/network-security/asa-static-pat/m-p/1548781#M615279 jvardhan29 2010-12-27T08:54:26Z