10-13-2020 01:14 AM
Hello
Is it possible in ASA to redirect an URL (yyy.com) to our local DNS Server (x.x.x.x).
as this yyy.com is registered as a public domain also we have same local domain, so i need all inside users to access this url (yyy.com) through our local dns. Is it possible can i redirect the url to local dns via Cisco ASA 5512.
10-13-2020 01:18 AM
Do you have a NAT configured for yyy.com? If yes, then you only need to add the keyword "dns" (without "") at the end of the NAT statment. Also, be sure to add an access rule with the private IP of the URL as the destination and which port is to access it for each interface that is to access this URL.
10-13-2020 01:26 AM
Hello
No NAT is configured for yyy.com. Public ip of yyy.com is (y.y.y.y) and private ip that is local ip of yyy.com is (x.x.x.x) which is the dns server. i need all request to yyy.com should go to private ip (x.x.x.x) ie dns server
10-13-2020 02:25 AM
You can do this using twice NAT / policy NAT. Just replace the group names, interface names, and IPs as needed:
object network xxxGroup
host x.x.x.x
object network yyyGroup
host y.y.y.y
object network source_subnet
subnet z.z.z.0 255.255.255.0
nat (inside,DMZ) source static source_subnet source_subnet destination xxxGroup yyyGroup
NAT format is nat (real_int,nat_int) source static real_source nat_source destination nat_dest real_dest
10-13-2020 01:46 AM
You would have two options to achieve that with NAT rules:
To be able to reach the internal server with its public IP, and get the replies sourcing from its public IP:
nat (inside,inside) source dynamic <internal-LAN-subnet> interface destination static <server-public-IP> <server-private-IP>
nat (inside,outside) source static <server-private-IP> <server-public-IP>
nat (inside,outside) after-auto source dynamic <internal-LAN-subnet> interface
or
nat (inside,inside) source dynamic <internal-LAN-subnet> interface destination static <server-public-IP> <server-private-IP>
nat (inside,outside) source static <server-private-IP> <server-public-IP>
nat (inside,outside) after-auto source dynamic <internal-LAN-subnet> interface
To be able to ping the internal server with its public IP, and get the replies sourcing from its private IP:
nat (inside,any) source static <server-private-IP> <server-public-IP>
nat (inside,outside) source dynamic <internal-LAN-subnet> interface
or
nat (inside,inside) source static <server-private-IP> <server-public-IP>
nat (inside,outside) source static <server-private-IP> <server-public-IP>
nat (inside,outside) source dynamic <internal-LAN-subnet> interface
10-13-2020 04:36 PM
ASA have User and local DNS connect to INSIDE,
User will ask DNS for IP address of URL
DNS will reply with Public IP.
URL Server in DMZ?
if yes then it NAT with source and destination translate rule.
source will be the User INSIDE will be translate and treat as any User OUTSIDE
destination is from Public ip address to private ip address of URL Server.
10-14-2020 02:00 AM
If both users and DNS are located on the inside interface and/or same subnet and DNS request and reply traffic does not pass through the ASA then there is nothing we can do on the ASA to proxy this. You need to update the DNS A record with the internal IP (if this is possible). If there is no A record and the DNS server queries a global DNS server for the IP, then you can create a DNS A record for yyy.com and give it the private IP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide