02-17-2015 10:55 AM - edited 03-11-2019 10:30 PM
I have looked at the following article on DNS doctoring and while it makes sense, it doesn't cover my scenario.
https://supportforums.cisco.com/document/145401/dns-doctoring-and-u-turning-asa-when-and-how-use-it
Basically I have an exchange server that is in my inside network and I have a NAT on the exchange box to the outside currently. I also have a DMZ area for a wireless gust network defined on the ASA. When a smartphone connects to the guest wireless their exchange email stops syncing because U-turn is disabled on the firewall be default. Is it possible to use DNS doctoring on the Public DMZ to translate my exchange box to its inside address?
Solved! Go to Solution.
02-17-2015 11:32 AM
Yes it is. Try adding the keyword dns to the end of your NAT translation.
02-17-2015 01:17 PM
Is 'public' your DMZ interface? If so, you don't need static (inside, public) 192.168.0.2 192.168.0.2 netmask 255.255.255.255
02-17-2015 11:32 AM
Yes it is. Try adding the keyword dns to the end of your NAT translation.
02-17-2015 11:42 AM
Ok, so I have the following NAT's:
static (inside,outside) tcp interface https 192.168.0.2 https netmask 255.255.255.255 dns
static (inside, public) 192.168.0.2 192.168.0.2 netmask 255.255.255.255
The machines in the public DMZ still get the outside interface IP when looking up my exchange box. It's not doctoring the request from the public to the exchange box.
02-17-2015 01:17 PM
Is 'public' your DMZ interface? If so, you don't need static (inside, public) 192.168.0.2 192.168.0.2 netmask 255.255.255.255
02-17-2015 01:29 PM
That did it! So how does the public addresses get translated to the inside exchange box or do they?
02-17-2015 01:42 PM
Traffic from the DNS gets read by the ASA and would normally be routed out to the internet, but the ASA does a lookup and sees that there is a translation for it. It then looks up the NAT and routes it to the inside IP. Glad to hear it's working.
02-17-2015 01:44 PM
Ah, I see. So the NAT it is using is the one that has the DNS re-write now?
02-17-2015 01:33 PM
Hi Phil,
Lets assume that your outside interface ip address is: 9.9.9.9
static (inside, public) 9.9.9.9 192.168.0.2 netmask 255.255.255.255
Hope this helps.
thanks
Rizwan Rafeek.
02-17-2015 01:42 PM
That's what I don't understand. The only public DMZ NAT that I have is dynamic to the outside interface.
nat (Public) 10 0.0.0.0 0.0.0.0
I don't have any other nat to the public DMZ interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide