https://community.cisco.com/t5/network-security/dns-and-nat-problem/m-p/1454908#M662856 <HTML><HEAD></HEAD><BODY><P>You can configure dns doctoring (ie: with the "dns" keyword) on the static statement for the mail server.</P><P></P><P><SPAN style="text-decoration: underline;"><STRONG>Example</STRONG></SPAN>:</P><P>Mail server private ip: 10.0.0.8</P><P>Mail server NATed (public ip) 200.0.0.8</P><P></P><P>static (inside,outside) 200.0.0.8 10.0.0.8 netmask 255.255.255.255 dns</P><P></P><P>Before testing it again, please make sure you flush the dns entry on the dmz host.</P><P></P><P>Hope that helps.</P></BODY></HTML> Mon, 21 Jun 2010 10:33:03 GMT Jennifer Halim 2010-06-21T10:33:03Z https://community.cisco.com/t5/network-security/dns-and-nat-problem/m-p/1454907#M662838 <P><SPAN class="long_text" id="result_box"><SPAN style="background-color: #e6ecf9; color: #000000;">Hello, I have a&nbsp; problem with the DNS. Three zones: outside, dmz, inside. </SPAN><SPAN>Users of a DMZ-VLAN are using an&nbsp; external DNS server, but they must be able to access the internal mail server (inside). </SPAN><SPAN>When trying to resolve the mail server IP, the DNS&nbsp; gives them the public IP, but they have to convert it to an internal IP to access inside server.</SPAN></SPAN></P><P></P><P>How can I resolve that?</P><P></P><P>Thanks</P> Mon, 11 Mar 2019 18:01:38 GMT https://community.cisco.com/t5/network-security/dns-and-nat-problem/m-p/1454907#M662838 jmprats 2019-03-11T18:01:38Z https://community.cisco.com/t5/network-security/dns-and-nat-problem/m-p/1454908#M662856 <HTML><HEAD></HEAD><BODY><P>You can configure dns doctoring (ie: with the "dns" keyword) on the static statement for the mail server.</P><P></P><P><SPAN style="text-decoration: underline;"><STRONG>Example</STRONG></SPAN>:</P><P>Mail server private ip: 10.0.0.8</P><P>Mail server NATed (public ip) 200.0.0.8</P><P></P><P>static (inside,outside) 200.0.0.8 10.0.0.8 netmask 255.255.255.255 dns</P><P></P><P>Before testing it again, please make sure you flush the dns entry on the dmz host.</P><P></P><P>Hope that helps.</P></BODY></HTML> Mon, 21 Jun 2010 10:33:03 GMT https://community.cisco.com/t5/network-security/dns-and-nat-problem/m-p/1454908#M662856 Jennifer Halim 2010-06-21T10:33:03Z https://community.cisco.com/t5/network-security/dns-and-nat-problem/m-p/1454909#M662876 <HTML><HEAD></HEAD><BODY><P>Hi, but my users are not in inside, they are external wireless users and they are in dmz, dns server is outside and email server is inside.</P><P>I think this "static (inside,outside)" command is nothing for a dmz user, or not?</P><P>Thanks</P></BODY></HTML> Mon, 21 Jun 2010 10:43:55 GMT https://community.cisco.com/t5/network-security/dns-and-nat-problem/m-p/1454909#M662876 jmprats 2010-06-21T10:43:55Z https://community.cisco.com/t5/network-security/dns-and-nat-problem/m-p/1454910#M662929 <HTML><HEAD></HEAD><BODY><P>You advised that external wireless users are connected to the DMZ and dns server is on the outside. So will wireless users resolve dns using the outside dns server, and the dns request and reply actually goes through the ASA from DMZ to outside interface? If the dns resolution goes through the ASA firewall, then my solution previously is the correct solution, exactly the same as the following sample configuration:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml">http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml</A></P><P></P><P>Based on the sample configuration:</P><P>- Your internal mail server would be the www server in DMZ.</P><P>- Both dns server for sample config and your config are on the outside of the ASA.</P><P>- Both users, your wireless users, and sample config inside users are on a different interface than the actual server.</P><P></P><P>If the DNS resolution does not actually pass through the ASA, then you would need to configure the following:</P><P>static (dmz,inside) 10.0.0.8 200.0.0.8 netmask 255.255.255.255</P><P></P><P>Hope that helps.</P></BODY></HTML> Mon, 21 Jun 2010 11:22:42 GMT https://community.cisco.com/t5/network-security/dns-and-nat-problem/m-p/1454910#M662929 Jennifer Halim 2010-06-21T11:22:42Z https://community.cisco.com/t5/network-security/dns-and-nat-problem/m-p/1454911#M662954 <HTML><HEAD></HEAD><BODY><P>Thanks.</P></BODY></HTML> Mon, 21 Jun 2010 12:22:08 GMT https://community.cisco.com/t5/network-security/dns-and-nat-problem/m-p/1454911#M662954 jmprats 2010-06-21T12:22:08Z