05-13-2015 06:01 AM - edited 03-11-2019 10:55 PM
Hi Team,
I would like to know the procedure or any documents how to create a nat rule for DNS.And also explain me what is DNS nat and which sceanrio we need to implement the DNS nat.
Please confirm the DNS nat and DNS ALG are same?
05-13-2015 06:31 AM
This is probably what you are looking for if you are interested in the ASA:
DNS NAT is a function that could be implemented on a DNS ALG, but they are not automatically the same.
05-14-2015 05:27 AM
Thank you very much for the update.
Do you have any procedure/Document how to implement the DNS NAT in cisco router.
05-18-2015 04:14 AM
Hi Karsten,
Please share me any sample configuration for DNS NAT in Cisco.
05-18-2015 04:19 AM
A config sample is in the above link.
05-18-2015 05:55 AM
Thanks for the update.Can you please help me the configuration for the below setup
Please find the attached setup for your reference.
When user in A network tries to access one of the server(abc.com) in B network via hostname.The packet first hit the A N/W DNS for requsting the abc.com ip address.Again they will forward the requset to B N/W DNS for the ip address.They retrun back the ip address say example(10.1.1.5) for respective hostname.But we have the 10.1.1.0/24 already using in A N/W.In that case we need to do the nat in the firewall. How we implement the DNS NAT in the Cisco ASA firewall.
Can you please share the configuration how to implement this setup.
05-18-2015 06:40 AM
It's a homework, isn't it?
There are multiple problems in that task:
1) Translating DNS-replys is not enough. You also need to translate the 10.1.1.0 network in both directions (Double-NAT).
2) The next part is that DNS-replies need to resolve to a different address. This is exactly an scenario in the referenced link which doesn't work easily on the ASA. For that, DNS-views can be configured on the DNS-server. With DNS-views, the server returns different A-records based on the source-IP of the query.
05-18-2015 09:36 AM
Thanks for the inputs karsten.
I understand the first step you mentioned we need to do the NAT in both directions.
Second step is very hard to understand to proceed.Reference link which you gave also not clear to do the config.
I will prepare the config and share you the same to you.Please review.
05-18-2015 10:29 AM
Please find below the config for your review.Please correct me if am wrong.The DNS NAT config is highlighted.My requirement is when user is access the server via hostname 192.168.1.5(abc.com) it should be natted to 10.10.20.5.
hostname ASA1
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address y.y.y.y 255.255.255.252
no shut
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no shut
!
object network inside-mapped-network
subnet 10.10.10.0 255.255.255.0
!
object network inside-real-network
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) static inside-mapped-network
!
access-list CRYPTO_ACL extended permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0
!
route outside 10.10.20.0 255.255.255.0 Y.Y.Y.Y
!
crypto ipsec ikev1 transform-set TRANS_SET esp-3des esp-md5-hmac
crypto map CRYP_MAP 10 match address CRYPTO_ACL
crypto map CRYP_MAP 10 set peer 41.1.1.2
crypto map CRYP_MAP 10 set ikev1 transform-set TRANS_SET
crypto map CRYP_MAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
hostname ASA2
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address Y.Y.Y.Y 255.255.255.252
no shut
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no shut
!
object network inside-mapped-network
subnet 10.10.20.0 255.255.255.0
!
object network inside-real-network
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) static inside-mapped-network
!
nat (inside,outside) source static 192.168.1.5 10.10.20.5 dns
!
policy-map global_policy
class inspection_default
inspect dns
!
access-list CRYPTO_ACL extended permit ip 10.10.20.0 255.255.255.0 10.10.10.0 255.255.255.0
!
route outside 10.10.10.0 255.255.255.0 Y.Y.Y.Y
!
crypto ipsec ikev1 transform-set TRANS_SET esp-3des esp-md5-hmac
crypto map CRYP_MAP 10 match address CRYPTO_ACL
crypto map CRYP_MAP 10 set peer Y.Y.Y.Y
crypto map CRYP_MAP 10 set ikev1 transform-set TRANS_SET
crypto map CRYP_MAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide