Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
590
Views
0
Helpful
2
Replies

NAT and DNS Doctoring with Two Internal Interfaces

RBenke
Level 1
Level 1

‎11-17-2017 01:02 PM - edited ‎02-21-2020 06:46 AM

I’ve searched and searched and searched, and I can’t find this particular configuration discussed anywhere…

 

My predecessor entered this NAT into our Cisco ASA:

 

object network obj-10.1.0.10

 nat (inside_academic,outside) static 50.201.x.x no-proxy-arp service tcp www www

 

This NAT allows external clients to access an internal web server. Straight-forward stuff, and it works just fine.

 

However, our ASA has two inside interfaces: inside_academic and inside_public. The academic network hosts the web server. In order to reach the web server from the inside_public network, a device on the inside_public network must query a public DNS server, and thus access the web server via the server’s external IP address. This creates a hairpin on the outside interface, and doesn’t work.

 

After much research, I came upon the notion of “DNS doctoring”, and entered this into the ASA:

 

nat (inside_public,outside) source static 10.1.0.10 50.201.x.x dns

 

This works: With this statement in place, a client on the public network correctly resolves the web server to 10.1.0.10 (I realize there’s more to this than just DNS doctoring; one step at a time). However, this statement breaks the existing NAT statement. I presume this is because the NAT table is referenced top-down, so whichever NAT is encountered first for the external IP address is the only NAT that takes effect. I was hoping the ASA would take the specified services into account when looking for a match, but that doesn’t appear to be the case.

 

If I can’t get both of these NAT’s to work at the same time, what else can I do to accomplish the goal? Or is there a way to get both of them working at the same time?

Labels:
0 Helpful
2 Replies 2

Flavio Miranda
VIP
VIP

‎11-17-2017 05:32 PM

Hi @RBenke

But why inside_academic and inside_public don't talk each other via real IP address as they both inside?

They have same security level?

 

 

 

 

-If I helped you somehow, please, rate it as useful.-

 

 

 

 

0 Helpful

RBenke
Level 1
Level 1
In response to Flavio Miranda

‎11-20-2017 06:34 AM - edited ‎11-20-2017 06:39 AM

Inside_public doesn't have its own DNS server, it utilizes an external, public DNS server. So a device on inside_public only knows the web server's external address. That's the challenge that I'm trying to overcome.

 

I've found numerous articles and other references that describe how to do this when the client and the server are on the same internal ASA interface. What I can't find is any discussion of how to accomplish this when the client and server are on different internal interfaces. The problem is, I would need two NAT's for the same external address, and that doesn't work. I need a different solution.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card