cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

122
Views
5
Helpful
1
Replies
Highlighted
Beginner

ASA nat connections originating at the ASA itself

Dear community,

 

Just a quick question. I would like to implement the FQDN ACL feature. The ASA which I am using for this, has a private IP address configured on it's outside if.

 

Traffic initiated from the inside if's will be static 1:1 natted to a public IP range. Traffic initiated on the ASA itself (to query the configured DNS servers), will leave the outside if (according to the routing table) and carry it's private IP as a source IP. There's a router behind this private subnet, which provides the actual Internet access. This router doesn't do any NAT, it expects the traffic is already NATted to a specific public pool. I tried to NAT these DNS queries initiated from the ASA itself, but apparently this traffic doesn't hit any NAT rule I tried to configure.

 

Any idea's if this is just working as designed or is it in any way possible to get this DNS traffic, originating at the ASA itself, to be natted?

 

thanks in advance!

1 REPLY 1
Highlighted
Frequent Contributor

Re: ASA nat connections originating at the ASA itself

Interesting one!
It looks like you need some kind of self NAT for the firewall. I would simply aim creating a NAT rule on the router upfront.
Let's see any other ideas if there're some blind spots here.