Re: cisco asa network nat dns replies

DraganSkundric87318 · ‎04-22-2025

hi,

I need to NAT one subnet to another from inside to outside, but also to NAT DNS replies for some of the hosts in original subnet. Set of host that needs to be dns_replies_nated is dynamic. Is this possible?

br

Sheraz.Salim · ‎04-22-2025

DNS doctoring is enabled per NAT rule using the dns keyword, e.g

object network MY_HOST
  host 192.168.1.5
  nat (inside,outside) static 10.10.10.5 dns

https://www.cisco.com/c/en/us/td/docs/security/asa/asa919/configuration/firewall/asa-919-firewall-config/nat-reference.pdf

https://www.petenetlive.com/KB/Article/0001113

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115753-dns-doctoring-asa-config.html

please do not forget to rate.

MHM Cisco World · ‎04-22-2025

Doctor NAT not work for dynamic it work only for static.

MHM

DraganSkundric87318 · ‎04-23-2025

but is it possible for whole subnet?

MHM Cisco World · ‎04-23-2025

To answer you

When we use DNS ?

If I have server inside and clients outside try to access it and these clients use DNS server which is also inside then we use dns doctor' the FW will NAT reply of DNS from private to public which accpet by outside clients.

So we use DNS doctor for server which use single IP by using static NAT.

MHM

DraganSkundric87318 · ‎04-23-2025

I know, but I need to translate subnet_inside to subnet_outside ... clients use dns to resolve destinations from subnet_ouside. I need to NAT those servers to subnet_inside. List of servers is not fixed so I hoped asa can DNS doctor all resources from subnet_outside that are seen in dns replies

MHM Cisco World · ‎04-23-2025

I dont try before' but if it work then ASA cli will accpet add DNS to end of NAT' if not accept it will show you error message.

MHM