Solved: Sounds about right.

robert.russom · ‎02-03-2016

We control our external DNS to the internet, and currently they sit outside of the firewall on public IPs. It's time to upgrade and I want to bring them inside the ASA and NAT them.

Maybe I'm looking at this too hard, but is it as simple as NAT'ing the existing public IPs to the new internal servers in the DMZ and allowing port 53 traffic through?

Thanks!

jj27 · ‎02-03-2016

Sounds about right.

View solution in original post

mvsheik123 · ‎02-03-2016

In addition to Johnson's comment, couple of other notes..

1. As these servers need to initiate DNS queries to Internet, make sure to allow DNS traffic only to Internet from DMZ (sourced from server pvt IPs).

2. You may be aware of this but you need to allow both tcp & udp for DNS traffic.

3. Make sure to block any connection initiated from these servers to your Internal IPs (using ACLs on DMZ).

hth

MS

View solution in original post

jj27 · ‎02-03-2016

Sounds about right.

mvsheik123 · ‎02-03-2016

In addition to Johnson's comment, couple of other notes..

1. As these servers need to initiate DNS queries to Internet, make sure to allow DNS traffic only to Internet from DMZ (sourced from server pvt IPs).

2. You may be aware of this but you need to allow both tcp & udp for DNS traffic.

3. Make sure to block any connection initiated from these servers to your Internal IPs (using ACLs on DMZ).

hth

MS

robert.russom · ‎02-04-2016

Thanks all!

#3... I still need to allow port 53 to/from my DCs for DNS forwarding, correct?

mvsheik123 · ‎02-08-2016

Hi Robert,

If your DCs are inside and using DMZ servers as forwarders, I don't see a need to open any ports. If your ASA version is pre 8.3 , you need static (Inside, DMZ) DCIP DCIP mask x.x.x.x and for 8.3 and after- the communication allowed by config.

hth

MS

robert.russom · ‎02-12-2016

Thanks guys! I got the crud and forgot to come back on here and update.

External DNS Question