DNS Doctoring on ASA 5510

parvezahmad90 · ‎05-29-2013

Hello,

I have email server which has private IP address 192.168.50.10 and Public IP 87.39.240.239.

From inside I can ping 192.168.50.10 but can not ping 87.39.240.239.

But from internet I can ping 87.39.240.239 and can access email server.

I have allowed "permit ip any any" on inside and outside interface for testing. I have below entries

static (inside,outside) 87.39.240.238 192.168.50.10 netmask 255.255.255.255 dns

static (inside,inside) 87.39.240.238 192.168.50.10 netmask 255.255.255.255 dns

I removed dns key word and test it, still not working from outside email server is working fine.

Please advise on this issue.How I can access email server via public IP address.( Internal DNS server is configured for email url with Public IP address

87.39.240.239)?

Regards,

Parvez

mvsheik123 · ‎05-29-2013

Hi Parvez,

You may also need to enable DNS inspection (if not done already). Check the below link..

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

Thx

MS

Jouni Forss · ‎05-29-2013

Hi,

Either the internal DNS server has to return the local IP address of the server (since ASA cant do DNS doctoring as it doesnt see the DNS query and reply) or you will have to add some configurations to make it possible for the LAN host to access the server with its public NAT IP address.

If you for example have this Dynamic PAT configuration at the moment

global (outside) 1 interface

nat (inside) 1 192.168.50.0 255.255.255.0

THEN you could add

global (inside) 1 interface

and

same-security-traffic permit intra-interface

and you might possibly now be able to access the server with its public IP address from the LAN.

You will naturally need the Static NAT configurations you mention above also

- Jouni