Re: DNS doctoring not working - IOS 15.0

big_aspergus · ‎05-07-2011

Hello,

I've read that DNS doctoring is default-enabled on IOS 12 and higher.

My network is behind a CISCO 2951 running IOS 15.0(1) M3. I've setup a simple NAT rule allowing outside traffic to be redirected to an internal private IP on port 80 (it's a web application)

Now internal computers are not able to resolve the application hostname to private IP.

Anything special I should configure on NAT ?

Thanks.

Fabrice Ducomble · ‎05-12-2011

for NAT ALG to doctor the DNS reply coming from external DNS server, you need to get a 'full' static NAT (not for a specific port), reason is DNS reply doesn't tell NAT code which port the user traffic will use so can't guess which partial static NAT should be used...

Thx,

Fabrice

big_aspergus · ‎05-12-2011

Thanks you Fabrice for your reply.

That is a huge limitation. If I read you correctly, I need to establish a NAT for all ports ... so what if I want to overload NAT? Will it work if I set up a global NAT on all port with additional PAT rules?

Thanks,

EBL

Fabrice Ducomble · ‎05-12-2011

I'm afraid you can't have a full static NAT for an inside global address and some extra partial static NAT using same inside global but different inside local...

If you need to 'split' same public IP to different internal servers, you need to get a local DNS server (could be the NAT router) which will reply with private IPs for your internal services names and forward everything else to provider DNS.

Thx,

Fabrice