07-23-2012 09:19 AM - edited 03-11-2019 04:33 PM
Hi,
I have a server (172.16.10.1) inside the LAN and IP of the server has been maped to public IP 41.219.130.10.
Topology
Server(172.16.10.1)
DNS Server (8.8.8.8) ----- Outside ASA Inside ----------- |
User (192.168.1.x)
Users are using Public DNS Server to resolve the domain. In this case, users will resolve the server domain to public IP address 41.219.130.10 instead of 172.16.10.1 that cause the server is unreachable for the users by default.
So I enable DNS modification feature on ASA. DNS keyword has been add to static NAT clause. ASA suppose to modify the DNS record to change the public IP to private IP address. But it is not working.
Please help me to check if my command is right or completed. Thank you very much.
access-list inside_acl extended permit udp any host 8.8.8.8 eq 53
access-list outside_acl extended permit tcp any host 41.219.130.10
access-group inside_acl in interface inside
access-group inside_acl in interface outside
object network CARE-SERVER
host 172.16.10.1
nat (inside,outside) static 41.219.130.10 dns
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect http allow-url-policy
inspect dns
service-policy global_policy global
07-23-2012 10:15 AM
The access-list should be pointing towards the real address instead of the mapped address as follows:
access-list outside_acl extended permit tcp any host 172.16.10.1
07-23-2012 10:37 AM
Thanks. Jennifer.
access-list outside_acl extended permit tcp any host 172.16.10.1
Yes. I have added this clause. But it is still not working. Seem like ASA does not inpsect DNS.
PNNDC-ASA5520# show service-policy inspect dns
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns _default_dns_map, packet 0, drop 0, reset-drop 0
dns-guard, count 0
protocol-enforcement, drop 0
nat-rewrite, count 0
I don't why there is no DNS packet inspected. But DNS inpsection has been enable at Global.
07-23-2012 06:54 PM
Have you also flush the DNS entries within your PC cache?
07-24-2012 12:46 AM
Yes. I have tried at 3 PC and routers also.
But ASA didn't inpsect any DNS packet.
07-24-2012 01:29 AM
And it definitely uses the public DNS server? and the DNS request is actually going through the ASA not other gateway?
Did you try NSLOOKUP or you try to browse to the URL?
07-24-2012 02:40 AM
I was trying to use public DNS server at the test PCs and routers and all the Internet traffic including DNS only pass through ASA.
I have used nslookup and browse the URL on the PCs.
Also I have used internal routers to test.clear host * and ping domain. It still resolves to public IP address.
I tried to use IOS 8.0 before and there was no issue with this feature. After I upgraded IOS to 8.4(3), this feature did not work and DNS inspection also did not work.
07-24-2012 03:21 AM
Can you please share your whole configuration.
07-27-2012 06:43 AM
I have upgraded ASA platform and use IOS 8.4(4)1. There is no problem now.
Thanks.
08-03-2012 01:04 AM
Thanks for the update. It might be a bug with the previous version that you run.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide