destination redirect via NAT

richard.priest · ‎12-02-2019

Hi,

Is the subject possible? I would've thought it was but am not getting any success.

Basically I manage a number of users/customers who use a 3rd parties DNS server who's IP is due to change imminently. Rather than going through the labours process of informing the users they need to change their DNS (and the inevitable fallout when some don't) I'd like to NAT the destination address from it's original to the replacement address.

I've tried using a static NAT entry, however when running packet tracer I get the UN-NAT rule working fine, however traffic is dropped on an ACL - Packet Tracer output is below

However the ACL has a specific rule to allow this traffic in on the interface,

FW2(config)# packet-tracer input test_Environment udp 10.44.126.210 53$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.44.121.203 using egress ifc DNS2

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Test_Environment,any) source static any any destination static DNS1 DNS2
Additional Information:
NAT divert to egress interface DNS2
Untranslate 194.72.7.142/53 to 10.44.121.203/53

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: Test_Environment
input-status: up
input-line-status: up
output-interface: DNS2
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

FW2(config)#

ACL

access-list DNS-V1588_in; 14 elements; name hash: 0x3ac98ac1
access-list DNS-V1588_in line 1 extended permit icmp object-group DNS-LAN-V1588 any (hitcnt=0) 0x3fc20b44
access-list DNS-V1588_in line 1 extended permit icmp 10.44.121.200 255.255.255.248 any (hitcnt=0) 0xbf0406f8
access-list DNS-V1588_in line 2 extended permit udp object-group DNS-LAN-V1588 object-group DNS-SVRS object-group DNS-UDP (hitcnt=119) 0x837a15ef
access-list DNS-V1588_in line 2 extended permit udp 10.44.121.200 255.255.255.248 host 194.72.7.137 eq domain (hitcnt=0) 0x120fa4b2
access-list DNS-V1588_in line 2 extended permit udp 10.44.121.200 255.255.255.248 host 194.72.7.142 eq domain (hitcnt=0) 0x62cfa190
access-list DNS-V1588_in line 2 extended permit udp 10.44.121.200 255.255.255.248 host 155.231.231.1 eq domain (hitcnt=86) 0x4a08fa05
access-list DNS-V1588_in line 2 extended permit udp 10.44.121.200 255.255.255.248 host 155.231.231.2 eq domain (hitcnt=33) 0x51569702
access-list DNS-V1588_in line 3 extended permit tcp object-group DNS-LAN-V1588 object-group DNS-SVRS object-group DNS-TCP (hitcnt=4) 0x103679f3
access-list DNS-V1588_in line 3 extended permit tcp 10.44.121.200 255.255.255.248 host 194.72.7.137 eq domain (hitcnt=0) 0x67cf86a4
access-list DNS-V1588_in line 3 extended permit tcp 10.44.121.200 255.255.255.248 host 194.72.7.142 eq domain (hitcnt=0) 0xe6af0cca
access-list DNS-V1588_in line 3 extended permit tcp 10.44.121.200 255.255.255.248 host 155.231.231.1 eq domain (hitcnt=2) 0xe2b93571
access-list DNS-V1588_in line 3 extended permit tcp 10.44.121.200 255.255.255.248 host 155.231.231.2 eq domain (hitcnt=2) 0xf1a7744d
access-list DNS-V1588_in line 4 extended permit udp any object-group DM_INLINE_NETWORK_1 object-group DNS-UDP (hitcnt=0) 0x56ad9dac
access-list DNS-V1588_in line 4 extended permit udp any 10.44.121.200 255.255.255.248 eq domain (hitcnt=0) 0x9bb1fabf
access-list DNS-V1588_in line 4 extended permit udp any host 194.72.7.137 eq domain (hitcnt=0) 0xc90043f7
access-list DNS-V1588_in line 4 extended permit udp any host 194.72.7.142 eq domain (hitcnt=0) 0x0433730a
access-list DNS-V1588_in line 4 extended permit udp any host 155.231.231.1 eq domain (hitcnt=0) 0x1f5844a3
access-list DNS-V1588_in line 4 extended permit udp any host 155.231.231.2 eq domain (hitcnt=0) 0xcc1696fc

Really appreciate any assistance, I can't get my head around why the ASA is blocking / rejecting the traffic