How ASA traffic route according to NAT and DMZ present?

Akbar ali Sultan · ‎06-14-2016

Dear All,

i have a problem in DNS Forwarder DNS server forwarder is not resolving 8.8.8.8, 4.2.2.2 or any global IP, DNS server is inside network, internet traffic is going through proxy which is in DMZ,DMZ interface=> rule "source (Proxy IP- 10.1.10.10) destination (any) port (IP) " and DNS traffic is directly going outside inside interface=> Source (DNS Server IP-10.1.1.10) destination (any) port (53), NAT Rule=> 10.1.0.0 To 10.1.10.10 outside,

what do i do inorder to resolve 8.8.8.8 or 4.4.4.4.?

is it necessary to drive the traffic to proxy server with allowing port 53 and DNS forwarder setting should be dmz proxy server IP ?

Karsten Iwen · ‎06-15-2016

In a proxy-setup the Proxy will do the name-lookup. For that you need to allow the proxy to reach the configured DNS-servers on UDP/53 and TCP/53. That has to be allowed with the ACL. And you need a translation that the proxy can reach the internet. That's all that has to be done on the ASA.

To test it run the following command:

packet-tracer input dmz udp IP-OF-PROXY 1234 8.8.8.8 53

Akbar ali Sultan · ‎06-15-2016

I tried already using the firewall rule but it does not work, is there any DNS config in proxy server to do the name resolution for port 8.8.8.8 and any other IP. if yes then how to configure it