03-26-2015 06:47 AM - edited 03-11-2019 10:42 PM
I have two pairs of ASA 5510 running 8.4(6) for two different networks. I configured 1-TO-1 NAT rule on each pair for internal server and enabled option "Translate DNS reply". However it seems like the rule is working on one pair but not the other.
Here is semi-detail of the setup (8.8.8.8 is used as DNS server for both setup on client.).
For first pair,
The internal server is @ 172.16.1.100; the client is @ 172.16.2.100. Their default gateway is 172.16.x.1 on the same core switch/router, which will route outbound traffic to ASA lan interface @ 10.1.1.1. The ASA mapped server to 1.2.3.4 on internet with FQDN web1.abc.com.
If I configured 8.8.8.8 as dns server on client and then try to reach web1.abc.com, I still got resolved to 1.2.3.4 instead of 172.16.1.100 as expected with turning on "Translate DNS reply" inside NAT rule.
For the second pair,
The server is @ 172.16.1.100 and connected to ASA dmz interface. The client is @ 172.16.2.100 on the LAN interface. ASA is the default gateway. ASA mapped server to 1.2.3.5 on internet web2.abc.com.
If I configured 8.8.8.8 as dns server on client and then try to reach web2.abc.com, the FQDN is resolved to 172.16.1.100 as expected.
So I guess will the difference between two setup break the functionality of DNS Rewrite/Translate DNS reply?
Please advise.
03-27-2015 06:12 AM
Hi,
Are the NAT and Service-policy on the ASA device which is not working correctly ?
Can you post the relevant configuration ?
Thanks and Regards,
Vibhor Amrodia
03-30-2015 04:51 AM
Here is the configure I have on the first ASA pair.
object network 172.16.1.100-1to1-NAT
host 172.16.1.100
nat (LAN,INTERNET) static 1.2.3.4 dns
For the second pair.
object network 172.16.1.100-1to1-NAT
host 172.16.1.100
nat (DMZ,INTERNET) static 1.2.3.4 dns
Let me know if further is required.
03-30-2015 04:56 AM
Hi,
I think you actually answered the query in your previous post.
As per your description , First Pair , has client and server connected to the same physical interface. If this is the case , the DNS query would never even traverse the ASA device and hence the rewrite will never work.
For it to work , you need to have DNS server and Client behind different interface or in different broadcast domains.
Thanks and Regards,
Vibhor Amrodia
03-30-2015 10:42 AM
I mean the web server not the DNS server.
In both my setup, I use 8.8.8.8 as the DNS server.
03-28-2015 02:14 PM
Regardless of if the ASA is the default gateway or the L3 switch is the default gateway, the ASA should rewrite the DNS request. If both ASA configuration are exaclty the same, I would look into a possible routing issue on the switch for the first pair.
--
Please remember to select a correct answer and rate helpful posts
03-30-2015 04:39 AM
They are not 100% the same actually. The first pair has client and server connected to the same physical interface while the second pair has client on LAN and server on DMZ physical interfaces.
03-30-2015 12:33 PM
What I meant is if the dhcp setup is the same, in that both use 8.8.8.8 as the dns server then the DNS query will transit the ASA and the ASA should rewrite the DNS reply to the private IP of the server. This means that you will also need to make sure that traffic from the local LAN to the private IP of the server needs to be permitted in the ACL on the LAN interface if that traffic goes through the ASA again to reach the server (if it isnt already permitted that is).
--
Please remember to select a correct answer and rate helpful posts
03-30-2015 12:57 PM
Found the issue. The DNS Inspection was not turned on on first pair... Now I have to do a change request to enabled DNS inspection...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide