Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
670
Views
0
Helpful
6
Replies

Accessing Public NAT address from inside interface

agent2007
Level 1
Level 1

‎01-22-2013 04:52 AM - edited ‎03-12-2019 06:04 PM

Hi All,

The situation is as follows:

I have an interface on the my ASA dedicated for unmanged devices that can get to the internet only.  no access to any other networks behind the ASA. These users want to use our mail server on the network but they use external dns to resolve so when they try to conenct to the public natted address of our mail server and it fails. 

Is this possible to do?  I have a read a little bit about hair pinning or dns doctoring but not too sure about those procedures and will they give me what I need.

Can anyone please help me here?

Thanks

Labels:
0 Helpful
6 Replies 6

Jouni Forss
VIP Alumni
VIP Alumni

‎01-22-2013 05:03 AM

Hi,

The Static NAT for the Mail server needs to have the "dns" parameter to work.

If its not configured, which seems to be the case, it would need to be added.

Do notice that adding the "dns" parameter requires reconfiguration of the NAT command and therofore would temporarily tear down the Mail servers connections to "outside" network at least.

The command format depends on your ASA software version

Examples for both would be

ASA 8.2 and below

static (inside,outside) netmask 255.255.255.255 dns

ASA 8.3 and after

object network STATIC-MAIL

host

nat (inside,outside) static dns

EDIT:

As a clarification to the above

The "dns" parameter should enable the ASA to work so that when the users asks for the IP address of the server with the DNS name, the ASA should see the reply message for the public IP address come from the public DNS server and it should also notice that it has the NAT configuration for that public IP address in the DNS reply. It would therefore rewrite the DNS reply so that the host actually gets the local IP address of the server in the DNS reply as the ASA has modified it inbetween because of the "dns" parameter

- Jouni

0 Helpful

agent2007
Level 1
Level 1
In response to Jouni Forss

‎01-22-2013 06:41 AM

Hi Jouni

I added the command as follows

static (DMZ1,Outside)  x.x.x.x72.16.0.50 netmask 255.255.255.255 dns

but it still does not work

I also added a rule to allow traffic between the interface because the interface that the devices are behind has a security level of 1 and the dmz interface has a security level of 50

but it still does not work

any other ideas?

Thanks

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to agent2007

‎01-22-2013 07:04 AM

Hi,

To my understanding it should be enough for this to work.

Heres a quote from the Command Reference for ASA 8.2 software regarding the "dns" parameter

dns 
(Optional) Rewrites the A record, or address record, in DNS replies that match this
static. For DNS replies traversing from a mapped interface to any other interface,
the A record is rewritten from the mapped value to the real value. Inversely, for
DNS replies traversing from any interface to a mapped interface, the A record is
rewritten from the real value to the mapped value.
Note DNS inspection must be enabled to support this functionality.

So as long as the hosts behind the the interface used a public DNS server directly, the DNS reply should be rewritten. And as it says the "inspect dns" needs to be configured on the ASA for this to work.

If this didnt work right away for me I would perhaps first open the ASDM and check connections initiated by the host thats testing connections and see where the connections are going. Are they still using public IP address or the private IP address.

You could even go as far as to capture all DNS traffic on the interface that has the users behind it and see if the DNS replies are getting modified. Naturally same could be more easy to do on an actual test computer with Wireshark on the network in question.

- Jouni

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎01-22-2013 07:11 AM

Oh,

And naturally if you want you can use the "packet-tracer" command to test the traffic/connection the host should initiate after getting the DNS reply.

Command format should be something like

packet-tracer input

- Jouni

0 Helpful

agent2007
Level 1
Level 1
In response to Jouni Forss

‎01-23-2013 08:31 AM

Thanks for your assistance here Jouni.  Unfortunatley the server in question is a Microsoft TMG server and uses internal AD DNS servers so this will not work in this setup according to your reply.

0 Helpful

agent2007
Level 1
Level 1
In response to agent2007

‎01-24-2013 01:35 AM

after all that I got it working by putting in the following nat rule

static (DMZ1,Wireless_HSP) x.x.x.x 172.16.0.50 netmask 255.255.255.255

x.x.x.x being the public IP address

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card