cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
197
Views
0
Helpful
3
Replies

DNS doctoring in 8.4

Matthew
Beginner
Beginner

I currently have a NAT statement on my firewall for a public facing server which looks like this:

nat (any,any) source static any any destination static server_ext_ip server_int_ip

Typically I believe this would be better off as an object NAT but for now this works, however I need my inside clients to access this server via it's external/public IP. I am using an external DNS server. Would simply adding the "dns" command at the end of this solve my issue?

 

 

1 Accepted Solution

Accepted Solutions

Marius Gunnerud
VIP Advisor VIP Advisor
VIP Advisor

If the URL your users are using to access the server resolves to the public IP and your DNS server is external, then adding the dns keyword at the end of the NAT statement will solve your issue.

Also keep in mind that if the server is located off a different ASA interface (i.e. in a DMZ) then you need to make sure that your inside interface ACL permits traffic to the private IP of the server.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

3 Replies 3

Henrik Grankvist
Enthusiast
Enthusiast

Hi

If you want users to access the server through the public IP, just leave it as it is. DNS rewrite, rewrites the DNS response so that users can access the server through the local IP address instead of the public.

Marius Gunnerud
VIP Advisor VIP Advisor
VIP Advisor

If the URL your users are using to access the server resolves to the public IP and your DNS server is external, then adding the dns keyword at the end of the NAT statement will solve your issue.

Also keep in mind that if the server is located off a different ASA interface (i.e. in a DMZ) then you need to make sure that your inside interface ACL permits traffic to the private IP of the server.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

I applied the "dns" command to my NAT statements and it is now working as needed. I did have to change the statement from:

nat (any,any) source static any any destination static server_ext_ip server_int_ip

to

nat (any,any) source static server_ext_ip server_int_ip dns

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers