DNS Rewrite/Translate DNS reply issue on ASA 5510

m1xed0s · ‎03-26-2015

I have two pairs of ASA 5510 running 8.4(6) for two different networks. I configured 1-TO-1 NAT rule on each pair for internal server and enabled option "Translate DNS reply". However it seems like the rule is working on one pair but not the other.

Here is semi-detail of the setup (8.8.8.8 is used as DNS server for both setup on client.).

For first pair,

The internal server is @ 172.16.1.100; the client is @ 172.16.2.100. Their default gateway is 172.16.x.1 on the same core switch/router, which will route outbound traffic to ASA lan interface @ 10.1.1.1. The ASA mapped server to 1.2.3.4 on internet with FQDN web1.abc.com.

If I configured 8.8.8.8 as dns server on client and then try to reach web1.abc.com, I still got resolved to 1.2.3.4 instead of 172.16.1.100 as expected with turning on "Translate DNS reply" inside NAT rule.

For the second pair,

The server is @ 172.16.1.100 and connected to ASA dmz interface. The client is @ 172.16.2.100 on the LAN interface. ASA is the default gateway. ASA mapped server to 1.2.3.5 on internet web2.abc.com.

If I configured 8.8.8.8 as dns server on client and then try to reach web2.abc.com, the FQDN is resolved to 172.16.1.100 as expected.

So I guess will the difference between two setup break the functionality of DNS Rewrite/Translate DNS reply?

Please advise.

Vibhor Amrodia · ‎03-27-2015

Hi,

Are the NAT and Service-policy on the ASA device which is not working correctly ?

Can you post the relevant configuration ?

Thanks and Regards,

Vibhor Amrodia

m1xed0s · ‎03-30-2015

Here is the configure I have on the first ASA pair.

object network 172.16.1.100-1to1-NAT

host 172.16.1.100
nat (LAN,INTERNET) static 1.2.3.4 dns

For the second pair.

object network 172.16.1.100-1to1-NAT

host 172.16.1.100
nat (DMZ,INTERNET) static 1.2.3.4 dns

Let me know if further is required.

Vibhor Amrodia · ‎03-30-2015

Hi,

I think you actually answered the query in your previous post.

As per your description , First Pair , has client and server connected to the same physical interface. If this is the case , the DNS query would never even traverse the ASA device and hence the rewrite will never work.

For it to work , you need to have DNS server and Client behind different interface or in different broadcast domains.

Thanks and Regards,

Vibhor Amrodia

m1xed0s · ‎03-30-2015

I mean the web server not the DNS server.

In both my setup, I use 8.8.8.8 as the DNS server.

Marius Gunnerud · ‎03-28-2015

Regardless of if the ASA is the default gateway or the L3 switch is the default gateway, the ASA should rewrite the DNS request. If both ASA configuration are exaclty the same, I would look into a possible routing issue on the switch for the first pair.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

m1xed0s · ‎03-30-2015

They are not 100% the same actually. The first pair has client and server connected to the same physical interface while the second pair has client on LAN and server on DMZ physical interfaces.

Marius Gunnerud · ‎03-30-2015

What I meant is if the dhcp setup is the same, in that both use 8.8.8.8 as the dns server then the DNS query will transit the ASA and the ASA should rewrite the DNS reply to the private IP of the server. This means that you will also need to make sure that traffic from the local LAN to the private IP of the server needs to be permitted in the ACL on the LAN interface if that traffic goes through the ASA again to reach the server (if it isnt already permitted that is).

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

m1xed0s · ‎03-30-2015

Found the issue. The DNS Inspection was not turned on on first pair... Now I have to do a change request to enabled DNS inspection...