Since your users are coming

sindbandgi · ‎06-20-2017

Hello,

We are using Cisco ASA 5585 in context mode without any NAT configuration, we have decommissioned couple of DNS servers and migrated to new DNS Server however still couple of applications using old DNS Servers now we have requirement that if any server tried to connect old DNS servers either from inside network or outside network then Cisco ASA has to redirect the traffic to new DNS live Server.

Example : Old DNS Servers : 192.168.20.10 , 192.168.20.15 10.160.1.4 we have more

New DNS Server : 172.31.34.45

if any application tried to reach any of these IP address 192.168.20.10 , 192.168.20.15 10.160.1.4 then ASA has to redirect the traffic to 172.31.34.45

I tried using the NAT however I am getting error

305013 10.30.116.22 51808 172.31.34.45 53 Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src
OUTSIDE:10.30.116.22/51808 dst INSIDE:172.31.34.45/53 denied due to NAT reverse path failure

Please suggest the any solution and below is the simple network daigram

Users -------------Outsdie -------- Cisco ASA ------Inside ------------------ DNS Server

|-----------Application Servers ( which are in inside network)

Regards

Rajkumar

Marvin Rhoads · ‎06-20-2017

Since your users are coming from random outside addresses, there would need to be a 1-1 static NAT. However since you are trying to replace multiple addresses with one, NAT does not scale out that way.

It would be best to deploy / communicate the new DNS server address to the clients.