Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1295
Views
0
Helpful
3
Replies

DNS rewrite for outside interface

Johan Svanberg
Level 1
Level 1

‎03-15-2010 08:56 AM - edited ‎03-11-2019 10:21 AM

Hi!

For hosts on the dmz when connecting from the inside we use the static with dns command for dns rewrite (external dns) , but i would like to use this for the ip/dns on the outside interface to, is this somehow possible, to rewrite the external outside ip to the internal inside ip?

We don't have a dns on the inside for this, it's possible, but wanted to check if this was possible to configure on the firewall.

Thanks!

Labels:
0 Helpful
3 Replies 3

Collin Clark
VIP Alumni
VIP Alumni

‎03-15-2010 09:57 AM

I'm not sure if I understand your questions correctly, but this link should help-

http://blogs.interfacett.com/mike-storm/2006/6/29/bidirectional-nat-on-a-cisco-pix-or-asa.html

0 Helpful

vilaxmi
Cisco Employee
Cisco Employee

‎03-15-2010 10:30 PM

Hello,


Your question is not very clear as to where your users/client and server would be located (which ifc of ASA).


Though what I understand, is that you want to have internal (behind inside ifc of ASA) users and you want them to be able to access an external website using an internal IP even though the external DNS server sends server's external IP address in the DNS reply.

So, here firewall needs to rewrite the DNS qreply packet coming back to client. This scenario of "Destination NAT" can be achieved as follows :

static (outside,inside) netmask 255.255.255.255 dns


HTH

Vijaya

0 Helpful

Johan Svanberg
Level 1
Level 1
In response to vilaxmi

‎03-16-2010 02:54 AM

Thanks for replying, i'm not being really clear about this myself.

I would like to do like below but i understand thats not possible, just as an example for the dns rewrite.

static (outside,inside) <inside_interface_ip> <outside_interface_ip> netmask 255.255.255.255 dns

When users on the inside connects to https://vpn.company.com they get from the external dns the outside_interface_ip, so i would like the firewall to rewrite the dns reply with the inside_interface_ip instead.

This is only a one timer when we need to install the vpnclient and its smooth to use the webvpn functions for this and i use group alias for this and we use certficate authentication, so i would like to use the same dns name, but we dont have an dns on the inside for this, it's possible, but i wanted to check if i could get this to work with the firewall instead.

It is very like the scenario where we have resources on the dmz and both external users and inside users need to connect with dns address to the servers, for this we have the static nat with dns configured and works great, but i would like the same rewrite but from the outside_interface_ip to the inside_interface_ip.

Or get the inside users to connect to the vpn service on the outside interface.

Thanks!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card