Scenario I would be using this - (ISE/CWA)

Client connects to Guest SSID

Client receives Public DNS Servers as part of its DHCP config.

As part of my ISE policy, client will ultimately receive a CWA URL which is only resolvable by my Internal DNS servers

Client will do a DNS lookup for that URL which will be sent to the clients Public DNS servers (this traffic will traverse the ASA as it is the clients GW)

I want the ASA to be able to intercept this DNS request before it goes outside and to direct it to my Internal DNS.

I know there I can use IP in the CWA redirect but this is something I prefer not to do. I would like to achieve the above if possible.

Well, we can do that but it would not be conditional. It will redirect all the requests going to external dns server to internal dns server. We will have to create a static NAT something like:

nat (inside,inside) source dynamic any interface destination static obj-1.1.1.1 obj-2.2.2.2 

where obj-1.1.1.1 is the internal dns server ip address

obj-2.2.2.2 is the external dns server ip address

we are creating this dummy nat entry so that when traffic comes to inside interface for 2.2.2.2(external dns server), the source gets translated to inside interface and destination gets unNATED to 1.1.1.1(internal dns server. The reason for PATing the source address is to ensure that reply packet comes to ASA and there is no asymetric routing. Since this is UDP traffic, I believe it should work without the source NAT as well but try it with source first if there is no issue.

**try to add this NAT at line 1. We would want to make sure that this takes preference.

also, add below command to allow u-turn:

same-security-traffic permit intra-interface

HTH

-AJ

If you have SourceFire module on your ASA firewall you can use an option called Sinkhole and achieve this.

http://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/fpmc-config-guide-v601_chapter_01011101.html#concept_FFB4BE7AF2914BAD9CFF278BCCBC523C

Hi Grant,

i solved this issue in this way :

My CWA url is somethng like guest@mycomain.com so i asked my isp to publish this DNS record  to a public ip address, obviously from my own public addresses, let's say this address is 1.1.1.1. So guest users obtaining public DNS servers are now resolving guest@mycomain.com with ip 1.1.1.1 but Guest page is not really published so is not reachable from outside, and is is somwething we want to do!

Then i configured DNS doctoring as per this link :

https://supportforums.cisco.com/document/145401/dns-doctoring-and-u-turning-asa-when-and-how-use-it

and all is fine!

You can also use public ip addresses not directly connected to your ASA firewall.

Hope this helps,

Regards