URL Redirect to Local DNS Server Via ASA

EEtech-uae · ‎10-13-2020

Hello

Is it possible in ASA to redirect an URL (yyy.com) to our local DNS Server (x.x.x.x).

as this yyy.com is registered as a public domain also we have same local domain, so i need all inside users to access this url (yyy.com) through our local dns. Is it possible can i redirect the url to local dns via Cisco ASA 5512.

Marius Gunnerud · ‎10-13-2020

Do you have a NAT configured for yyy.com? If yes, then you only need to add the keyword "dns" (without "") at the end of the NAT statment. Also, be sure to add an access rule with the private IP of the URL as the destination and which port is to access it for each interface that is to access this URL.

--
Please remember to select a correct answer and rate helpful posts

EEtech-uae · ‎10-13-2020

Hello

No NAT is configured for yyy.com. Public ip of yyy.com is (y.y.y.y) and private ip that is local ip of yyy.com is (x.x.x.x) which is the dns server. i need all request to yyy.com should go to private ip (x.x.x.x) ie dns server

Marius Gunnerud · ‎10-13-2020

You can do this using twice NAT / policy NAT. Just replace the group names, interface names, and IPs as needed:

object network xxxGroup

host x.x.x.x

object network yyyGroup

host y.y.y.y

object network source_subnet

subnet z.z.z.0 255.255.255.0

nat (inside,DMZ) source static source_subnet source_subnet destination xxxGroup yyyGroup

NAT format is nat (real_int,nat_int) source static real_source nat_source destination nat_dest real_dest

--
Please remember to select a correct answer and rate helpful posts

Aref Alsouqi · ‎10-13-2020

You would have two options to achieve that with NAT rules:

To be able to reach the internal server with its public IP, and get the replies sourcing from its public IP:

nat (inside,inside) source dynamic <internal-LAN-subnet> interface destination static <server-public-IP> <server-private-IP>

nat (inside,outside) source static <server-private-IP> <server-public-IP>

nat (inside,outside) after-auto source dynamic <internal-LAN-subnet> interface

or

nat (inside,inside) source dynamic <internal-LAN-subnet> interface destination static <server-public-IP> <server-private-IP>

nat (inside,outside) source static <server-private-IP> <server-public-IP>

nat (inside,outside) after-auto source dynamic <internal-LAN-subnet> interface

To be able to ping the internal server with its public IP, and get the replies sourcing from its private IP:

nat (inside,any) source static <server-private-IP> <server-public-IP>

nat (inside,outside) source dynamic <internal-LAN-subnet> interface

or

nat (inside,inside) source static <server-private-IP> <server-public-IP>

nat (inside,outside) source static <server-private-IP> <server-public-IP>

nat (inside,outside) source dynamic <internal-LAN-subnet> interface

MHM Cisco World · ‎10-13-2020

ASA have User and local DNS connect to INSIDE,
User will ask DNS for IP address of URL
DNS will reply with Public IP.
URL Server in DMZ?
if yes then it NAT with source and destination translate rule.

source will be the User INSIDE will be translate and treat as any User OUTSIDE
destination is from Public ip address to private ip address of URL Server.

Marius Gunnerud · ‎10-14-2020

If both users and DNS are located on the inside interface and/or same subnet and DNS request and reply traffic does not pass through the ASA then there is nothing we can do on the ASA to proxy this. You need to update the DNS A record with the internal IP (if this is possible). If there is no A record and the DNS server queries a global DNS server for the IP, then you can create a DNS A record for yyy.com and give it the private IP.

--
Please remember to select a correct answer and rate helpful posts