cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
493
Views
0
Helpful
5
Replies

External DNS Question

robert.russom
Level 1
Level 1

We control our external DNS to the internet, and currently they sit outside of the firewall on public IPs. It's time to upgrade and I want to bring them inside the ASA and NAT them.

Maybe I'm looking at this too hard, but is it as simple as NAT'ing the existing public IPs to the new internal servers in the DMZ and allowing port 53 traffic through?

Thanks!

2 Accepted Solutions

Accepted Solutions

jj27
Spotlight
Spotlight

Sounds about right.

View solution in original post

In addition to Johnson's comment, couple of other notes..

1. As these servers need to initiate DNS queries to Internet, make sure to allow DNS traffic only to Internet from DMZ (sourced from server pvt IPs).

2. You may be aware of this but you need to allow both tcp & udp for DNS traffic.

3. Make sure to block any connection initiated from these servers to your Internal IPs (using ACLs on DMZ).

hth

MS

View solution in original post

5 Replies 5

jj27
Spotlight
Spotlight

Sounds about right.

In addition to Johnson's comment, couple of other notes..

1. As these servers need to initiate DNS queries to Internet, make sure to allow DNS traffic only to Internet from DMZ (sourced from server pvt IPs).

2. You may be aware of this but you need to allow both tcp & udp for DNS traffic.

3. Make sure to block any connection initiated from these servers to your Internal IPs (using ACLs on DMZ).

hth

MS

Thanks all!

#3... I still need to allow port 53 to/from my DCs for DNS forwarding, correct?

Hi Robert,

If your DCs are inside and using DMZ servers as forwarders, I don't see a need to open any ports. If your ASA version is pre 8.3 , you need static (Inside, DMZ) DCIP DCIP mask x.x.x.x and for 8.3 and after- the communication allowed by config.

hth

MS

Thanks guys!  I got the crud and forgot to come back on here and update.

Review Cisco Networking for a $25 gift card