Solved: ASA static pat

jvardhan29 · ‎12-11-2010

hi

i would like to know if DNS doctoring is supported with static pat or only static nat .if it is supported with Static PAT does it support both (i.e interface as well as a free public ip ).below is an eg. in which i have mentioned the interface keyword in static statement.

static (inside,Public) tcp interface 25 10.10.1.1 25 dns

jgraafmans · ‎12-23-2010

The ASA rewrites the DNS reply which contains the external IP address with the internal IP address. The DNS request and reply don't contain port numbers but one external IP address can translate to multiple inside addresses based on port numbers. This is the reason DNS doctoring is not supported.

To make a server on the inside available on it's outside IP address you can create this static:

static (inside,inside) tcp x.x.x.x 25 10.10.1.1 25 where x.x.x.x is the IP address of your outside interface

global (inside) y interface where y matches the nat (inside) y statement

This way if a pc connects to the external IP address the destination address is translated to 10.10.1.1 and the source address is translated to the IP address of the inside interface. This is necessary because the returning traffic needs to go through the ASA.

View solution in original post

Kureli Sankar · ‎12-23-2010

static (inside,Public) tcp interface 25 10.10.1.1 25 dns

static (inside,Public) tcp interface 80 10.20.1.1 80 dns

static (inside,Public) tcp interface 8080 10.30.1.1 8080 dns

e-mail servers A record is mail.abc.com

webserver's A record is www.abc.com

8080 server's A record is apache.abc.com

All resolving to the same interface IP address. Now the inside host wants to go to www.abc.com which the outside dns server resolves to the interface IP address with dns doctoring enabled which inside server will the ASA send the traffic to?

This simply is not supported.

Dont' miss my ATE event: https://supportforums.cisco.com/community/netpro/ask-the-expert

-KS

View solution in original post

Kureli Sankar · ‎12-24-2010

For both 1 and 2 the use of the keyword dns is the same.

Honestly the use of it when used with static makes more sense than used in the nat statement.

May be in case of dynamic nat and not dynamic pat, this makes sense where the dns replies coming back from a dns server that contains the global address, it will be changed to the real ip.

-KS

View solution in original post

Kureli Sankar · ‎12-11-2010

DNS doctoring is supported only in static 1-1 NAT. Not is static PAT.

-KS

jvardhan29 · ‎12-12-2010

thanks KS , I was reading the document where below is mentioned .

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml

"DNS rewrite is not compatible with static Port Address Translation (PAT) because multiple PAT rules are applicable for each A-record, and the PAT rule to use is ambiguous. "

can you please let me know exact meaning of above .though it says it is not compatible but does that mean it can be still used ? also what do we mean by "multiple PAT rules are applicable for each A-record"

jvardhan29 · ‎12-23-2010

hi experts,

any idea on below question related to static pat .

Kureli Sankar · ‎12-23-2010

static (inside,Public) tcp interface 25 10.10.1.1 25 dns

static (inside,Public) tcp interface 80 10.20.1.1 80 dns

static (inside,Public) tcp interface 8080 10.30.1.1 8080 dns

e-mail servers A record is mail.abc.com

webserver's A record is www.abc.com

8080 server's A record is apache.abc.com

All resolving to the same interface IP address. Now the inside host wants to go to www.abc.com which the outside dns server resolves to the interface IP address with dns doctoring enabled which inside server will the ASA send the traffic to?

This simply is not supported.

Dont' miss my ATE event: https://supportforums.cisco.com/community/netpro/ask-the-expert

-KS

jgraafmans · ‎12-23-2010

The ASA rewrites the DNS reply which contains the external IP address with the internal IP address. The DNS request and reply don't contain port numbers but one external IP address can translate to multiple inside addresses based on port numbers. This is the reason DNS doctoring is not supported.

To make a server on the inside available on it's outside IP address you can create this static:

static (inside,inside) tcp x.x.x.x 25 10.10.1.1 25 where x.x.x.x is the IP address of your outside interface

global (inside) y interface where y matches the nat (inside) y statement

This way if a pc connects to the external IP address the destination address is translated to 10.10.1.1 and the source address is translated to the IP address of the inside interface. This is necessary because the returning traffic needs to go through the ASA.

jvardhan29 · ‎12-24-2010

that is what i was looking for ! thanks to both .

i have one more question , some of the configuration related to dns are mentioned below but i was not able to find why is "dns" used here for ?

1st config

nat (Private) 1 0.0.0.0 0.0.0.0 dns

global (Public) 1 interface

2nd config

also is there any possibility that in the below config at any point of time nat (Public) 3 access-list MYACL dns , being used ? i.e is the below config relevant or irrelevant ?what is the use of dns keyword here ?

where MYACL access-list (consists of VPN clients network) coming to the ASA private network

nat (Public) 3 access-list MYACL dns

access-list MYACL permit ip 172.16.10.0 255.255.255.0 any

access-list NONAT permit ip any 172.16.10.0 255.255.255.0

nat (Private) 0 access-list NONAT

global (Public) 3 interface

Kureli Sankar · ‎12-24-2010

For both 1 and 2 the use of the keyword dns is the same.

Honestly the use of it when used with static makes more sense than used in the nat statement.

May be in case of dynamic nat and not dynamic pat, this makes sense where the dns replies coming back from a dns server that contains the global address, it will be changed to the real ip.

-KS

jvardhan29 · ‎12-27-2010

thanks for clarification !