Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
391
Views
5
Helpful
1
Replies

ASA nat connections originating at the ASA itself

diondohmen
Level 1
Level 1

‎05-23-2018 11:57 PM - edited ‎02-21-2020 07:48 AM

Dear community,

 

Just a quick question. I would like to implement the FQDN ACL feature. The ASA which I am using for this, has a private IP address configured on it's outside if.

 

Traffic initiated from the inside if's will be static 1:1 natted to a public IP range. Traffic initiated on the ASA itself (to query the configured DNS servers), will leave the outside if (according to the routing table) and carry it's private IP as a source IP. There's a router behind this private subnet, which provides the actual Internet access. This router doesn't do any NAT, it expects the traffic is already NATted to a specific public pool. I tried to NAT these DNS queries initiated from the ASA itself, but apparently this traffic doesn't hit any NAT rule I tried to configure.

 

Any idea's if this is just working as designed or is it in any way possible to get this DNS traffic, originating at the ASA itself, to be natted?

 

thanks in advance!

Labels:
0 Helpful
1 Reply 1

Florin Barhala
Level 6
Level 6

‎05-24-2018 01:17 AM

Interesting one!
It looks like you need some kind of self NAT for the firewall. I would simply aim creating a NAT rule on the router upfront.
Let's see any other ideas if there're some blind spots here.
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card