cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2822
Views
0
Helpful
6
Replies

URL Redirect to Local DNS Server Via ASA

EEtech-uae
Level 1
Level 1

Hello

 

Is it possible in ASA to redirect an URL (yyy.com) to our local DNS Server (x.x.x.x).

as this yyy.com is registered as a public domain also we have same local domain, so i need all inside users to access this url (yyy.com) through our local dns. Is it possible can i redirect the url to local dns via Cisco ASA 5512.

6 Replies 6

Do you have a NAT configured for yyy.com?  If yes, then you only need to add the keyword "dns" (without "") at the end of the NAT statment.  Also, be sure to add an access rule with the private IP of the URL as the destination and which port is to access it for each interface that is to access this URL.

--
Please remember to select a correct answer and rate helpful posts

EEtech-uae
Level 1
Level 1

Hello

 

No NAT is configured for yyy.com. Public ip of yyy.com is (y.y.y.y) and private ip that is local ip of yyy.com is (x.x.x.x) which is the dns server. i need all request to yyy.com should go to private ip (x.x.x.x) ie dns server

You can do this using twice NAT / policy NAT.  Just replace the group names, interface names, and IPs as needed:

object network xxxGroup

  host x.x.x.x

object network yyyGroup

  host y.y.y.y

object network source_subnet

  subnet z.z.z.0 255.255.255.0

nat (inside,DMZ) source static source_subnet source_subnet destination xxxGroup yyyGroup

NAT format is nat (real_int,nat_int) source static real_source nat_source destination nat_dest real_dest

--
Please remember to select a correct answer and rate helpful posts

You would have two options to achieve that with NAT rules:

To be able to reach the internal server with its public IP, and get the replies sourcing from its public IP:

nat (inside,inside) source dynamic <internal-LAN-subnet> interface destination static <server-public-IP> <server-private-IP>

nat (inside,outside) source static <server-private-IP> <server-public-IP>

nat (inside,outside) after-auto source dynamic <internal-LAN-subnet> interface

or

nat (inside,inside) source dynamic <internal-LAN-subnet> interface destination static <server-public-IP> <server-private-IP>

nat (inside,outside) source static <server-private-IP> <server-public-IP>

nat (inside,outside) after-auto source dynamic <internal-LAN-subnet> interface

 

To be able to ping the internal server with its public IP, and get the replies sourcing from its private IP:

nat (inside,any) source static <server-private-IP> <server-public-IP>

nat (inside,outside) source dynamic <internal-LAN-subnet> interface

or

nat (inside,inside) source static <server-private-IP> <server-public-IP>

nat (inside,outside) source static <server-private-IP> <server-public-IP>

nat (inside,outside) source dynamic <internal-LAN-subnet> interface

ASA have User and local DNS connect to INSIDE,
User will ask DNS for IP address of URL 
DNS will reply with Public IP.
URL Server in DMZ?
if yes then it NAT with source and destination translate rule.

source will be the User INSIDE will be translate and treat as any User OUTSIDE
destination is from Public ip address to private ip address of URL Server.

If both users and DNS are located on the inside interface and/or same subnet and DNS request and reply traffic does not pass through the ASA then there is nothing we can do on the ASA to proxy this.  You need to update the DNS A record with the internal IP (if this is possible).  If there is no A record and the DNS server queries a global DNS server for the IP, then you can create a DNS A record for yyy.com and give it the private IP.

--
Please remember to select a correct answer and rate helpful posts
Review Cisco Networking for a $25 gift card