Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
482
Views
0
Helpful
1
Replies

outside-PAT all UDP traffic, but exclude DNS

Roman Rodichev
Level 7
Level 7

‎03-07-2012 09:15 AM - edited ‎03-11-2019 03:39 PM

8.4(3)

I need to outside PAT all incoming UDP (SIP/RTP) traffic from outside to an internal IP. The following command makes it work:

nat (outside,inside) source dynamic any obj-10.0.0.173 service udp udp

But it breaks DNS resolution from inside. If I add the above command and try to nslookup from inside to an outside DNS server

64.90.175.90, DNS times out. If I remove the above nat command, it works again. It seems like even though DNS UDP originates from inside which should create a statefull connection, ASA still messes with return DNS responses.

I then tried to create an "exclusion" for that IP with the following:

object-group network nat-exclusions

network-object host 64.90.175.90

!

nat (outside,inside) source static nat-exclusions nat-exclusions

but it's not working.

I also tried:

nat (outside,inside) source static nat-exclusions nat-exclusions unidirectional

Also not working.

Any suggestions? How can outside-PAT all UDP traffic excluding DNS.

Labels:
0 Helpful
1 Reply 1

Roman Rodichev
Level 7
Level 7

‎03-08-2012 06:06 AM

TAC was able to help. I needed this:

object network exclusions

host 64.90.175.90

!

nat (inside,outside) source dynamic any interface destination static exclusions exclusions

nat (outside,inside) source dynamic any obj-10.0.0.173 service udp udp

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card