04-06-2010 03:49 AM - edited 03-11-2019 10:29 AM
Hey Everyone,
I am facing a DNS issue due to NAT, i think dns doctoring can solve this but the scenario is a little different so not sure of the exact solution.
Attached is the network diagram. Exchange Server , DNS and Domain Controller are all located on a single physical server which has an IP 172.20.10.100. Both the server and the intenal users reside on the inside subnet. In the DNS the name-to-IP mapping is for example srv.abc.com -> 172.20.10.100. The Inside users have no connectivity issue.
The server is translated to 192.168.100.20 when accessing the outside network, this is a static translation
static (Inside,Outside) 192.168.100.20 172.20.10.100 netmask 255.255.255.255
The Branch users when they access they try to resolve srv.abc.com get the mapping to 172.20.10.100 which does not allow communication using name as Branch users cannot access 172.20.10.100 but they can access 192.168.100.20.
What needs to be configured on the ASA to resolve this issue ?
will this work
static (Inside,Outside) 192.168.100.20 172.20.10.100 netmask 255.255.255.255 dns
??
Thanks
Zeeshan
04-06-2010 04:07 AM
Yes, dns doctoring will work as long as the branch user uses 192.168.100.20 as its dns server for dns resolution.
04-06-2010 06:07 AM
It didn't work. I specified the command using dns keyword and flushed the DNS on the Branch host, the host still resolves the name of the server to 172.20.10.100. Is there any other thing which needs to be done.
Thanks
Zeeshan Sanaullah
04-06-2010 06:17 AM
Is the user using the public ip address of the HQ dns server for dns resolution? It will only work if the dns request passes through the HQ ASA where the static with "dns" keyword is configured, and the reply goes back through the ASA as well.
Can you please confirm what DNS server is used at your branch host?
04-06-2010 06:37 AM
The Branch user has 192.168.100.20 configured as the DNS Server. Yes the DNS request passes through the ASA.
04-06-2010 08:21 PM
Is dns inspection also enabled on the HQ ASA?
04-06-2010 11:31 PM
DNS Inspection is on ... as shown below
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sunrpc
inspect tftp
inspect xdmcp
inspect esmtp
inspect dns
inspect http
04-07-2010 05:00 AM
Remove the "dns" keyword from the static. This should resolve the issue.
The inside hosts are getting resolution from the inside DNS and they are wroking fine.
The outside folks do not need to get the inside IP upon resolving so, remove the dns keyword from the static.
-KS
04-07-2010 08:21 AM
@kusankar
The actual configuration is without dns keyword. I added dns keyword to see if the issue resolves but it did not.
Outside hosts when they resolve srv.abc.com they get 172.20.10.100 but they should get 192.168.100.20 after dns keyword is entered.
@halijenn
The ASA OS version is 7.07 ... can it be software issue ???
Thanks
Zeeshan
04-07-2010 08:30 AM
Can you temporarily just remove dns inspection and see if this works. If it does then we can exclude dns inspection for this remote network and add dns inspection for all other traffic.
-KS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide