Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1719
Views
0
Helpful
3
Replies

ASA 8.4(5) destination NAT and DNS rewrite

Go to solution
MATTHIAS SCHAERER
Level 3
Level 3

‎01-04-2013 01:52 AM - edited ‎03-11-2019 05:43 PM

Hi,

one more question about destination NAT. In earlier releases it was possible to have DNS rewrite together with destination NAT. In 8.4 I am struggeling with the configuration. The situation looks like this:

Client                                                                  ftp.other.com

172.23.23.23                                                            192.168.10.1

                             inside----ASA 8.5.4-----outside

DNS Server my.com                                                       DNS Server other.com

172.27.27.27                                                            192.168.10.10

Forwarder for other.com: 192.168.10.10

Due to an address overlap I have to translate all 192.168.10.0 addresses of other.com on my.com side to 192.168.20.x. I can do that for everything with Twice NAT except for the DNS queries that are sent from DNS Server my.com to DNS Server other.com. When the client asks his local DNS server for ftp.other.com the reply I get is still 192.168.10.1 instead of 192.168.20.1. I have then seen that I cannot use Twice NAT (http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_overview.html#wp1118157) but up to now I have not found any possiblity to configure it with Network object NAT.

Any hint is appreciated.

Mat

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-04-2013 03:23 AM

Hi,

Dont think I can really give you an answer but thought I'd write anyway.

It does seem on the basis of the documentation of the ASA (8.4) that with Twice NAT you wont be able to do any modifications to the DNS replies.

Heres one quote from Configuration Guide

Gonfiguring Network Address Translation -> Information About NAT -> DNS and NAT

If you configure a twice NAT rule, you cannot configure DNS modification if you specify the source
address as well as the destination address. These kinds of rules can potentially have a different
translation for a single address when going to A vs. B. Therefore, the ASA cannot accurately match the
IP address inside the DNS reply to the correct twice NAT rule; the DNS reply does not contain
information about which source/destination address combination was in the packet that prompted the
DNS request.

So if I'm not totally wrong I guess your options might be to either

  • Start doing changes to the local DNS server directly?
  • Separate the remote overlapping network from your current firewall with another firewall device?
    • I dont know the whole setup so this might be impossible
    • Thinking that if the NAT for the remote overlapping network was done on another firewall it could do the DNS reply changes before they arrived on your ASA from the remote DNS server?

I have not really had to tackle such a situation before. I most commonly run into situations where a customer has public IP configured with 1:1 Static NAT and there is no DNS parameter in the Static NAT configuration while the customer tries to use the DNS name to connect to their local server.

Just some of my thoughts. Maybe someone else might have more expirience with same type of situations.

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-04-2013 03:23 AM

Hi,

Dont think I can really give you an answer but thought I'd write anyway.

It does seem on the basis of the documentation of the ASA (8.4) that with Twice NAT you wont be able to do any modifications to the DNS replies.

Heres one quote from Configuration Guide

Gonfiguring Network Address Translation -> Information About NAT -> DNS and NAT

If you configure a twice NAT rule, you cannot configure DNS modification if you specify the source
address as well as the destination address. These kinds of rules can potentially have a different
translation for a single address when going to A vs. B. Therefore, the ASA cannot accurately match the
IP address inside the DNS reply to the correct twice NAT rule; the DNS reply does not contain
information about which source/destination address combination was in the packet that prompted the
DNS request.

So if I'm not totally wrong I guess your options might be to either

  • Start doing changes to the local DNS server directly?
  • Separate the remote overlapping network from your current firewall with another firewall device?
    • I dont know the whole setup so this might be impossible
    • Thinking that if the NAT for the remote overlapping network was done on another firewall it could do the DNS reply changes before they arrived on your ASA from the remote DNS server?

I have not really had to tackle such a situation before. I most commonly run into situations where a customer has public IP configured with 1:1 Static NAT and there is no DNS parameter in the Static NAT configuration while the customer tries to use the DNS name to connect to their local server.

Just some of my thoughts. Maybe someone else might have more expirience with same type of situations.

- Jouni

0 Helpful

Go to solution
MATTHIAS SCHAERER
Level 3
Level 3
In response to Jouni Forss

‎01-04-2013 06:50 AM

Hi Jouni,

thanks for your thoughts. The bad thing is that a week ago I had this running with version 8.0(5). I can hardly imagine, that this shouldn't work with 8.4(5).

What I arrive in doing is the DNS translation, but then all my normal NAT translations do not work anymore. Or I can ping everything but not use DNS. But both at the same time, no way till now.

I revert to some unorthodox DNS setup as you proposed. The question for me remains if there is a possiblity to do source AND destination translation in two config statements. This would be the only way to have the DNS keyword in one of them at least.

Kind regards,

Mat

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to MATTHIAS SCHAERER

‎01-04-2013 07:01 AM

Hi,

Regarding using 2 different NAT configurations (2x object network NAT) it would seem you will again hit a limitation if I'm reading the below quote correctly

How source and destination NAT is implemented.
Network object NAT— Each rule can apply to either the source or destination of a packet. So
two rules might be used, one for the source IP address, and one for the destination IP address.
These two rules cannot be tied together to enforce a specific translation for a source/destination
combination.

This is from the section

Gonfiguring Network Address Translation -> Information About NAT -> How NAT is Implemented -> Main Differences Between network Object NAT and Twice NAT

I do remember reading different types of threads related to Old NAT vs. New NAT on these forums where people have not been able to migrate their old rules to new ones. I think one of them related to handling ICMP traffic and if I remember right functionality for it has just been added in one of the newest softwares. So I wouldnt be surprised if this was something that was overlooked with the new software. But as I said I havent had to tackle with such a situation so I havent gone indepth with coming up with a workaround.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card