I ran across this post today

Random44F · ‎06-26-2013

Hello,

I have dhcp enabled on my asa which hands out private ip to all inside clients. as part of this, it also handsout the dns server which is the address of the inside interface

What I want to do is, create a static nat or port forward which does the following

if the source is 192.168.1.0/24 and destination is 192.168.1.1 with destination port number of 53 then rewrite the destination address to 8.8.8.8

This way I will hide the dns server form internal client. lots of home routers as cheap as £10 can do this, why does the cisco can not do this and charging you a premium ?

Thanks

Andrew Phirsov · ‎06-26-2013

ASA Allows any kind of source and destination NAT/PAT as long as it makes sense)). What are trying to accomplish?

Assuming that you're trying to redirect all the client's DNS requests to the 8.8.8.8 and 192.168.1.1 is the IP of the ASA's inside interface, nat rule woul look smth like this:

object network GOOGLE_DNS

host 8.8.8.8

object network LAN

subnet 192.168.1.24

object service DNS

service tcp destination eq 53

nat (inside,outside) source static LAN LAN destination static interface GOOGLE_DNS service DNS

This way it would be better:

object network GOOGLE_DNS

host 8.8.8.8

nat (outside,inside) static interface service tcp dns dns

Random44F · ‎07-12-2013

MANY THANKS

user83473973 · ‎06-06-2014

I ran across this post today and it helped me solve a similiar problem. This command works great except it specifies TCP, it should be UDP and the default ASA service for DNS is actually called domain.

This revised command should get you what you need:

object network GOOGLE_DNS

host 8.8.8.8

nat (outside,inside) static interface service udp domain domain

johnlloyd_13 · ‎08-16-2023

ASA DNS redirect /forward