topic Re: DNS Issue due to translation in Network Security

DNS Issue due to translation

Muhammad Zeeshan Sanaullah — Mon, 11 Mar 2019 17:29:21 GMT

Hey Everyone,

I am facing a DNS issue due to NAT, i think dns doctoring can solve this but the scenario is a little different so not sure of the exact solution.

Attached is the network diagram. Exchange Server , DNS and Domain Controller are all located on a single physical server which has an IP 172.20.10.100. Both the server and the intenal users reside on the inside subnet. In the DNS the name-to-IP mapping is for example srv.abc.com -> 172.20.10.100. The Inside users have no connectivity issue.

The server is translated to 192.168.100.20 when accessing the outside network, this is a static translation

static (Inside,Outside) 192.168.100.20 172.20.10.100 netmask 255.255.255.255

The Branch users when they access they try to resolve srv.abc.com get the mapping to 172.20.10.100 which does not allow communication using name as Branch users cannot access 172.20.10.100 but they can access 192.168.100.20.

What needs to be configured on the ASA to resolve this issue ?

will this work

static (Inside,Outside) 192.168.100.20 172.20.10.100 netmask 255.255.255.255 dns

Thanks

Zeeshan

Re: DNS Issue due to translation

Jennifer Halim — Tue, 06 Apr 2010 11:07:44 GMT

Yes, dns doctoring will work as long as the branch user uses 192.168.100.20 as its dns server for dns resolution.

Re: DNS Issue due to translation

Muhammad Zeeshan Sanaullah — Tue, 06 Apr 2010 13:07:59 GMT

halijenn

It didn't work. I specified the command using dns keyword and flushed the DNS on the Branch host, the host still resolves the name of the server to 172.20.10.100. Is there any other thing which needs to be done.

Thanks

Zeeshan Sanaullah

Re: DNS Issue due to translation

Jennifer Halim — Tue, 06 Apr 2010 13:17:32 GMT

Is the user using the public ip address of the HQ dns server for dns resolution? It will only work if the dns request passes through the HQ ASA where the static with "dns" keyword is configured, and the reply goes back through the ASA as well.

Can you please confirm what DNS server is used at your branch host?

Re: DNS Issue due to translation

Muhammad Zeeshan Sanaullah — Tue, 06 Apr 2010 13:37:50 GMT

The Branch user has 192.168.100.20 configured as the DNS Server. Yes the DNS request passes through the ASA.

Re: DNS Issue due to translation

Jennifer Halim — Wed, 07 Apr 2010 03:21:31 GMT

Is dns inspection also enabled on the HQ ASA?

Re: DNS Issue due to translation

Muhammad Zeeshan Sanaullah — Wed, 07 Apr 2010 06:31:32 GMT

DNS Inspection is on ... as shown below

class-map inspection_default

match default-inspection-traffic

policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sunrpc
inspect tftp
inspect xdmcp
inspect esmtp
inspect dns
inspect http

Re: DNS Issue due to translation

Kureli Sankar — Wed, 07 Apr 2010 12:00:15 GMT

Remove the "dns" keyword from the static. This should resolve the issue.

The inside hosts are getting resolution from the inside DNS and they are wroking fine.

The outside folks do not need to get the inside IP upon resolving so, remove the dns keyword from the static.

-KS

Re: DNS Issue due to translation

Muhammad Zeeshan Sanaullah — Wed, 07 Apr 2010 15:21:50 GMT

@kusankar

The actual configuration is without dns keyword. I added dns keyword to see if the issue resolves but it did not.

Outside hosts when they resolve srv.abc.com they get 172.20.10.100 but they should get 192.168.100.20 after dns keyword is entered.

@halijenn

The ASA OS version is 7.07 ... can it be software issue ???

Thanks

Zeeshan

Re: DNS Issue due to translation

Kureli Sankar — Wed, 07 Apr 2010 15:30:55 GMT

Can you temporarily just remove dns inspection and see if this works. If it does then we can exclude dns inspection for this remote network and add dns inspection for all other traffic.

-KS