cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
762
Views
0
Helpful
8
Replies

DNS Doctoring on ASA from DMZ

Phil Bradley
Level 4
Level 4

I have looked at the following article on DNS doctoring and while it makes sense, it doesn't cover my scenario. 

https://supportforums.cisco.com/document/145401/dns-doctoring-and-u-turning-asa-when-and-how-use-it

Basically I have an exchange server that is in my inside network and I have a NAT on the exchange box to the outside currently. I also have a DMZ area for a wireless gust network defined on the ASA. When a smartphone connects to the guest wireless their exchange email stops syncing because U-turn is disabled on the firewall be default. Is it possible to use DNS doctoring on the Public DMZ to translate my exchange box to its inside address?

 

2 Accepted Solutions

Accepted Solutions

Collin Clark
VIP Alumni
VIP Alumni

Yes it is. Try adding the keyword dns to the end of your NAT translation.

View solution in original post

Is 'public' your DMZ interface? If so, you don't need static (inside, public) 192.168.0.2 192.168.0.2 netmask 255.255.255.255

View solution in original post

8 Replies 8

Collin Clark
VIP Alumni
VIP Alumni

Yes it is. Try adding the keyword dns to the end of your NAT translation.

Ok, so I have the following NAT's:

static (inside,outside) tcp interface https 192.168.0.2 https netmask 255.255.255.255 dns

static (inside, public) 192.168.0.2 192.168.0.2 netmask 255.255.255.255

 

The machines in the public DMZ still get the outside interface IP when looking up my exchange box. It's not doctoring the request from the public to the exchange box.

Is 'public' your DMZ interface? If so, you don't need static (inside, public) 192.168.0.2 192.168.0.2 netmask 255.255.255.255

That did it! So how does the public addresses get translated to the inside exchange box or do they?

 

Traffic from the DNS gets read by the ASA and would normally be routed out to the internet, but the ASA does a lookup and sees that there is a translation for it. It then looks up the NAT and routes it to the inside IP. Glad to hear it's working.

Ah, I see. So the NAT it is using is the one that has the DNS re-write now?

Hi Phil,

 

Lets assume that your outside interface ip address is: 9.9.9.9

 

static (inside, public) 9.9.9.9 192.168.0.2 netmask 255.255.255.255

 

Hope this helps.

 

thanks

Rizwan Rafeek.

That's what I don't understand. The only public DMZ NAT that I have is dynamic to the outside interface.

nat (Public) 10 0.0.0.0 0.0.0.0

I don't have any other nat to the public DMZ interface.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: