03-21-2011 12:14 PM - edited 03-11-2019 01:10 PM
Users and systems on the 10.10.30.0/24 network cannot get directly to ourcompany.com using the dns lookup of IP because that IP is on the outside interface of the ASA and everything on 10.10.30.0/24 has to go through the ASA to get back in, but it does not appear that the ASA supports such a configuration.
1. How do I configure the ASA to allow traffic to return inbound when originating from an inside source IP?
2. How do I allow server1.ourcompany.com, which is inside the network, to translate to the inside IP, rather than the public IP of the egress interface?
3. Is there another solution?
Solved! Go to Solution.
03-21-2011 01:39 PM
You cannot statically NAT a subnet to a single IP address.
Unless you have one-to-one static NAT, you cannot access the servers from the outside anyway.
Another alternative is to have an ''inside'' DNS server that serves the DNS queries from the inside network.
Federico.
03-21-2011 12:27 PM
Hi,
I think that you're looking for DNS Doctoring or DNS rewrite.
The ASA allows translation for DNS responses so that you can access the device from the inside.
For example if you have:
static (in,out) 2.2.2.2 1.1.1.1 dns
The above static allows from outside to access 2.2.2.2 (ASA redirects to 1.1.1.1 on the inside).
But it also allows a DNS translation so that when the outside DNS replies with IP 2.2.2.2 (outside IP), the ASA translates the DNS response to 1.1.1.1 (so the inside host knows that it can reach the server with its real IP 1.1.1.1).
Hope it helps.
Federico.
03-21-2011 12:47 PM
I see the DNS doctoring technique, but how does that manage to translate ANY mycompany.com destination requests from inside to translate to a corresponding server inside? Does thes always have to be a one-on-one NAT, for a specific inside server? We have numerous servers inside that have DNS listing. What are the security risks of DNS doctoring? Thanx!
03-21-2011 12:50 PM
I'm not sure if you can do something like:
static (in,out) 2.2.2.0 1.1.1.0 netmask 255.255.255.0 dns
To do DNS rewrite to the entire subnet, otherwise is for every server specifically.
Security risks?
I don't think so, the ASA is just translating the DNS response to the real IP when sending the DNS packet to the inside host.
Federico.
03-21-2011 01:13 PM
So, what I'm hearing you say is that this static "(in,out) 2.2.2.2 1.1.1.1 dns" NAT will ONLY be used if the public DNS server translates the the request to server1.mycompany.com from the inside network and sends it to the specific IP on the inside.
In this ASA, 2.2.2.2 has the global pool for the interface. Other access on this outside address is controlled by port translation. I just don't want to risk screwing up any of the normal permissions. You'll have to pardon me as I'm just beginning to use these systems.
03-21-2011 01:19 PM
What this command does:
static (in,out) 2.2.2.2 1.1.1.1 dns
1. Inside host sends a DNS packet asking how to get to yourcompany.com
2. The inside host is configured to ask an external DNS server (outside the ASA).
3. The DNS request goes through the ASA and reaches the external DNS server
4. The DNS replies (as is configured) with the public IP of yourcompany.com (let's say 2.2.2.2)
5. The DNS packet (containing the mapping 2.2.2.2 to yourcompany.com) arrives at the outside interface of the ASA
6. The ASA will normally just forward this packet to the inside host that send the request, but since the static NAT has the ''dns'' keyword it will translate that DNS response from 2.2.2.2 to 1.1.1.1
7. The inside host then knows that it can reach yourcompany.com by sending the packets to 1.1.1.1
If you remove the ''dns'' keyword what happens is that the inside host will attempt to reach yourcompany.com using IP 2.2.2.2 (because that's what it received on the unmodified DNS response.
Hope it's more clear.
Federico.
03-21-2011 01:36 PM
One last question, I think: can the static NAT be set up asymmetrically, i.e., can I do something like static (in,out) 2.2.2.2 1.1.1.0? we have several servers inside that we'd like that have DNS entries that point them to the single outside address, but use PAT.
Wolf
03-21-2011 01:39 PM
You cannot statically NAT a subnet to a single IP address.
Unless you have one-to-one static NAT, you cannot access the servers from the outside anyway.
Another alternative is to have an ''inside'' DNS server that serves the DNS queries from the inside network.
Federico.
03-21-2011 01:45 PM
Thank you for your assistance and your patience!
Wolf
03-21-2011 01:52 PM
Wolf,
Just wanted to point out a few things:
1. Asymmetric static nat is not possible since both ip addresses share the same netmask
2. For dns doctoring to work you need to enable "inspect dns" in the policy map.
3. An alternative to DNS doctoring is to use hairpinning of traffic on the inside interface.
Configuration:
same-security-traffic permit intra-interface
static (inside,inside)
nat (inside) x 0 0 (should be present already in your config)
global (inside) x interface
So now traffic destined to the public ip is unnated to its private ip, and sent out the inside interface to the webserver on its private ip.
global (inside) is required to prevent asymmetric routing.
Comparitively, I think both DNS doctoring and Hairpinning would require the same number of static nats configured, and i think DNS doctoring would be less CPU intensive to the ASA. But I just thought I would mention hairpinning, as your initial question seemed to be something along the lines of how it works.
03-22-2011 11:47 AM
OK, I suppose that will have to do. Can I enter several public/private pairs
(static (inside,inside)
each with different outside and inside IP addresses?
03-22-2011 11:53 AM
hi wolf,
Yes you can have multiple static nats with the "dns" keyword at the end.
Make sure inspect dns is enabled for dns doctoring to work.
-Shrikant
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide