https://community.cisco.com/t5/network-security/question-about-nat-redirection/m-p/716182#M984155 <P>I will be deploying an ASA5520 very soon and I wanted to find out if the following is possible...and if so, any advice or pointers on the configuration.</P><P></P><P>I plan to have three security zones:</P><P>SERVER_NETWORK 10.0.0.0/24</P><P>CLIENT_NETWORK 192.168.100.0/24</P><P>PUBLIC_NETWORK 200.200.200.0/24 (obfuscated intentionally)</P><P></P><P>I will have a server exposed (or NAT'd) from the SERVER_NETWORK to the PUBLIC_NETWORK. Lets say for simplicity, its a web server.</P><P></P><P>SERVER01 (ip: 10.0.0.10) (External NAT: 200.200.200.10)</P><P></P><P>Externally, if you resolve "<A href="http://www.mycompanywebsite.com" target="_blank">www.mycompanywebsite.com</A>", DNS will return 200.200.200.10.</P><P></P><P>Is it possible to configure the ASA5520 such that, if a user on the CLIENT_NETWORK resolved that address (200.200.200.10) or browsed to that resouce, they would be able to reach SERVER01 too?</P><P></P><P>In other words, can I have NAT translations occur on both interfaces, public and client?</P><P></P><P>I've tried this in the past with a PIX and was told that it couldn't be done. Something about not being able to send traffic out, or looping back in, through an interface that is NAT'ing an address. (that was a long time ago, though)</P><P></P><P>I've resolved it in the past by running a secondary DNS server for the clients in the CLIENT_NETWORK, that responds with internal addresses instead of the external ones. That is obviously a less than desireable solution because you have to maintain duplicate zone files with different host records. But that isn't an option with this install. I can't do that here.</P><P></P><P>Any advice? Is this easily overcome now?</P><P>Thanks!</P><P>-Matt</P> Mon, 11 Mar 2019 10:46:20 GMT mattg 2019-03-11T10:46:20Z https://community.cisco.com/t5/network-security/question-about-nat-redirection/m-p/716182#M984155 <P>I will be deploying an ASA5520 very soon and I wanted to find out if the following is possible...and if so, any advice or pointers on the configuration.</P><P></P><P>I plan to have three security zones:</P><P>SERVER_NETWORK 10.0.0.0/24</P><P>CLIENT_NETWORK 192.168.100.0/24</P><P>PUBLIC_NETWORK 200.200.200.0/24 (obfuscated intentionally)</P><P></P><P>I will have a server exposed (or NAT'd) from the SERVER_NETWORK to the PUBLIC_NETWORK. Lets say for simplicity, its a web server.</P><P></P><P>SERVER01 (ip: 10.0.0.10) (External NAT: 200.200.200.10)</P><P></P><P>Externally, if you resolve "<A href="http://www.mycompanywebsite.com" target="_blank">www.mycompanywebsite.com</A>", DNS will return 200.200.200.10.</P><P></P><P>Is it possible to configure the ASA5520 such that, if a user on the CLIENT_NETWORK resolved that address (200.200.200.10) or browsed to that resouce, they would be able to reach SERVER01 too?</P><P></P><P>In other words, can I have NAT translations occur on both interfaces, public and client?</P><P></P><P>I've tried this in the past with a PIX and was told that it couldn't be done. Something about not being able to send traffic out, or looping back in, through an interface that is NAT'ing an address. (that was a long time ago, though)</P><P></P><P>I've resolved it in the past by running a secondary DNS server for the clients in the CLIENT_NETWORK, that responds with internal addresses instead of the external ones. That is obviously a less than desireable solution because you have to maintain duplicate zone files with different host records. But that isn't an option with this install. I can't do that here.</P><P></P><P>Any advice? Is this easily overcome now?</P><P>Thanks!</P><P>-Matt</P> Mon, 11 Mar 2019 10:46:20 GMT https://community.cisco.com/t5/network-security/question-about-nat-redirection/m-p/716182#M984155 mattg 2019-03-11T10:46:20Z https://community.cisco.com/t5/network-security/question-about-nat-redirection/m-p/716183#M984156 <HTML><HEAD></HEAD><BODY><P>Hi Matt </P><P></P><P>Yes you can do this, it is called DNS doctoring. Attached is a link to a configuration example of DND doctoring on the ASA. </P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml" target="_blank">http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml</A></P><P></P><P>HTH</P><P></P><P>Jon</P></BODY></HTML> Thu, 19 Jul 2007 07:15:34 GMT https://community.cisco.com/t5/network-security/question-about-nat-redirection/m-p/716183#M984156 Jon Marshall 2007-07-19T07:15:34Z https://community.cisco.com/t5/network-security/question-about-nat-redirection/m-p/716184#M984157 <HTML><HEAD></HEAD><BODY><P>Thats perfect Jon.</P><P>Thank you.</P></BODY></HTML> Thu, 19 Jul 2007 07:46:28 GMT https://community.cisco.com/t5/network-security/question-about-nat-redirection/m-p/716184#M984157 mattg 2007-07-19T07:46:28Z