cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


385
Views
0
Helpful
8
Replies
Highlighted
Beginner

DNS Doctoring on ASA from DMZ

I have looked at the following article on DNS doctoring and while it makes sense, it doesn't cover my scenario. 

https://supportforums.cisco.com/document/145401/dns-doctoring-and-u-turning-asa-when-and-how-use-it

Basically I have an exchange server that is in my inside network and I have a NAT on the exchange box to the outside currently. I also have a DMZ area for a wireless gust network defined on the ASA. When a smartphone connects to the guest wireless their exchange email stops syncing because U-turn is disabled on the firewall be default. Is it possible to use DNS doctoring on the Public DMZ to translate my exchange box to its inside address?

 

Everyone's tags (1)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Advisor

Yes it is. Try adding the

Yes it is. Try adding the keyword dns to the end of your NAT translation.

Advisor

Is 'public' your DMZ

Is 'public' your DMZ interface? If so, you don't need static (inside, public) 192.168.0.2 192.168.0.2 netmask 255.255.255.255

8 REPLIES 8
Advisor

Yes it is. Try adding the

Yes it is. Try adding the keyword dns to the end of your NAT translation.

Beginner

Ok, so I have the following

Ok, so I have the following NAT's:

static (inside,outside) tcp interface https 192.168.0.2 https netmask 255.255.255.255 dns

static (inside, public) 192.168.0.2 192.168.0.2 netmask 255.255.255.255

 

The machines in the public DMZ still get the outside interface IP when looking up my exchange box. It's not doctoring the request from the public to the exchange box.

Advisor

Is 'public' your DMZ

Is 'public' your DMZ interface? If so, you don't need static (inside, public) 192.168.0.2 192.168.0.2 netmask 255.255.255.255

Beginner

That did it! So how does the

That did it! So how does the public addresses get translated to the inside exchange box or do they?

 

Advisor

Traffic from the DNS gets

Traffic from the DNS gets read by the ASA and would normally be routed out to the internet, but the ASA does a lookup and sees that there is a translation for it. It then looks up the NAT and routes it to the inside IP. Glad to hear it's working.

Beginner

Ah, I see. So the NAT it is

Ah, I see. So the NAT it is using is the one that has the DNS re-write now?

Rising star

Hi Phil, Lets assume that

Hi Phil,

 

Lets assume that your outside interface ip address is: 9.9.9.9

 

static (inside, public) 9.9.9.9 192.168.0.2 netmask 255.255.255.255

 

Hope this helps.

 

thanks

Rizwan Rafeek.

Beginner

That's what I don't

That's what I don't understand. The only public DMZ NAT that I have is dynamic to the outside interface.

nat (Public) 10 0.0.0.0 0.0.0.0

I don't have any other nat to the public DMZ interface.