02-02-2010 07:39 AM - edited 03-11-2019 10:04 AM
Hi All,
I have internal servers on the same segment with internal machines.
When I use an ASA to provide Internet, I can use a DNS rewrite function for the servers, so that the inside network can reach the inside servers with the private address (using a public DNS).
So, for example I have an internal server 10.1.1.1
I have the static NAT:
static (inside,outside) 20.1.1.1 10.1.1.1 dns
So, when an inside computer tries to get to mycompany.com, sends a request to the public DNS which resolves the public IP address, but when the reply comes through the ASA, the ASA then translates the DNS reply to the 10.1.1.1 address (and I can reach the server fine).
My question is:
Instead of an ASA, I have a Router 2821 12.4(24)T
Is there a way to accomplish the DNS rewrite function on the router???
ARENAS-CENTRAL(config)#ip nat inside source static 10.1.1.1 20.1.1.1 ?
extendable Extend this translation when used
mapping-id Associate a mapping id to this mapping
no-alias Do not create an alias for the global address
no-payload No translation of embedded address/port in the payload
redundancy NAT redundancy operation
route-map Specify route-map
vrf Specify vrf
<cr>
ARENAS-CENTRAL(config)#
Or, is there another way to accomplish this task?
Thank you!!
Federico.
Solved! Go to Solution.
02-08-2010 09:27 AM
Hi Federico,
DNS doctoring which is the feature you are looking for is not supported on Cisco routers. As a consequence of your setup the local PC will try to access the server through its NAT address, which is also not possible on a Cisco router. This is because when NAT is configured we need to send the traffic from inside to outside to translate, and then to undo this translation it's a requirement that the traffic flows from outside to inside. All these requirements are based on the NAT RFC 1631, that's why on a Cisco Router configured with static NAT you are not able to see a local Web Server through it's natted address.
There are a few workarounds you can try on this kind of setup:
WORKAROUND 1:
Instead of using the public IP address, try to access the server through the private IP address. It's the most simple way to solve this issue.
WORKAROUND 2:
Configure one of your computers as a local DNS server and add a record stating that the only way to access the server is with the private IP address. Here is a useful link that explains how to configure a computer as a private DNS server:
http://www.microsoft.com/technet/archive/windows2000serv/evaluate/featfunc/dnsover.mspx
This is the best choice to do this configuration.
WORKAROUND 3
Configure the router as a DNS server. The local network should point its DNS queries to the router and configure a local entry for that server. In this way, when the LAN tries to access the public domain of a local address, the router will provide them with the private IP instead of the public IP. Here are the lines needed to configure the router as a DNS server (you need at least version 12.2(4)T)
config t
ip dns server
ip domain lookup
name-server X.X.X.X <<<<< PUBLIC DNS TO FORWARD QUERIES
ip host www.domain.com
WORAROUND 4
There's something else you can do on each PC. You just have to edit a file that contains ALIAS for certain domain names pointing to an IP address. Of course, this only works when trying to access a server through the Domain Name, not with the IP address. The file is called "hosts". The Windows OS, before asking a DNS for a domain name checks this file to see if there is a shortcut to know the IP address belonging to the domain. On Windows 2000 and NT, it is placed in the following path (I think that also on XP you will find it as well):
C:\WINNT\system32\drivers\etc
You just need to edit it with NOTEPAD. Here is what you will find when you open the file:
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
This is why if you do a PING LOCALHOST on an MS-DOS window, you are pinging 127.0.0.1. You just need to add your domain name and point it to the private address of the server.
WORKAROUND 5:
Configure what is called NAT on a Stick in your router. This kind of special configuration "tricks" both the server and the LAN to believe they are talking with a completely different network, avoiding the issue related to the NAT. The problem with this configuration is that it is a quite heavy on the router and not always works so I would discourage its use because the router will get involved in all internal conversations with the whole network, therefore resulting in too much work for the router. Another thing you need to take in mind regarding this workaround is that this specific setup is not supported by Cisco.
Regards,
Rick.
02-05-2010 10:43 AM
Federico,
Nat on a Stick is the similar function that IOS have, this, however might not be quite guaranteed that it will work as desired, please take a look at the following llink:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml
hth
Ivan
02-05-2010 12:25 PM
I am almost positive that dns rewrite just works by default on IOS.
-KS
02-08-2010 09:27 AM
Hi Federico,
DNS doctoring which is the feature you are looking for is not supported on Cisco routers. As a consequence of your setup the local PC will try to access the server through its NAT address, which is also not possible on a Cisco router. This is because when NAT is configured we need to send the traffic from inside to outside to translate, and then to undo this translation it's a requirement that the traffic flows from outside to inside. All these requirements are based on the NAT RFC 1631, that's why on a Cisco Router configured with static NAT you are not able to see a local Web Server through it's natted address.
There are a few workarounds you can try on this kind of setup:
WORKAROUND 1:
Instead of using the public IP address, try to access the server through the private IP address. It's the most simple way to solve this issue.
WORKAROUND 2:
Configure one of your computers as a local DNS server and add a record stating that the only way to access the server is with the private IP address. Here is a useful link that explains how to configure a computer as a private DNS server:
http://www.microsoft.com/technet/archive/windows2000serv/evaluate/featfunc/dnsover.mspx
This is the best choice to do this configuration.
WORKAROUND 3
Configure the router as a DNS server. The local network should point its DNS queries to the router and configure a local entry for that server. In this way, when the LAN tries to access the public domain of a local address, the router will provide them with the private IP instead of the public IP. Here are the lines needed to configure the router as a DNS server (you need at least version 12.2(4)T)
config t
ip dns server
ip domain lookup
name-server X.X.X.X <<<<< PUBLIC DNS TO FORWARD QUERIES
ip host www.domain.com
WORAROUND 4
There's something else you can do on each PC. You just have to edit a file that contains ALIAS for certain domain names pointing to an IP address. Of course, this only works when trying to access a server through the Domain Name, not with the IP address. The file is called "hosts". The Windows OS, before asking a DNS for a domain name checks this file to see if there is a shortcut to know the IP address belonging to the domain. On Windows 2000 and NT, it is placed in the following path (I think that also on XP you will find it as well):
C:\WINNT\system32\drivers\etc
You just need to edit it with NOTEPAD. Here is what you will find when you open the file:
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
This is why if you do a PING LOCALHOST on an MS-DOS window, you are pinging 127.0.0.1. You just need to add your domain name and point it to the private address of the server.
WORKAROUND 5:
Configure what is called NAT on a Stick in your router. This kind of special configuration "tricks" both the server and the LAN to believe they are talking with a completely different network, avoiding the issue related to the NAT. The problem with this configuration is that it is a quite heavy on the router and not always works so I would discourage its use because the router will get involved in all internal conversations with the whole network, therefore resulting in too much work for the router. Another thing you need to take in mind regarding this workaround is that this specific setup is not supported by Cisco.
Regards,
Rick.
02-10-2010 10:37 AM
Excellent reply Rick!
I used workaround#2.
Thank you very much!!
Federico.
02-08-2012 08:46 AM
DNS rewrite is enabled by default where:
- a static NAT is configured on the router with the outside and the inside address of the inside SERVER A
- and the router sees a DNS reply from the outside DNS containing the outside NAT IP for SERVER A
In this case the router rewrites the IP for SERVER A from the outside NAT to the inside NAT IP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide