11-09-2011 01:13 PM - edited 03-07-2019 03:18 AM
Hello,
I have a DNS within a DMZ behind a Cisco 2811 router, all behind another firewall. The router is running ipbasek9 12.4(24)T4 and performing a source static network NAT for the network behind it.
The problem I'm having is that the router is also translating the network prefix within the DNS queries issued against the DNS server. I've ran a series of wireshark traces on both sides of the router that confirms this.
Is there a method to limit the NAT on the router to only translate the IP packet headers and not the data?
Here is an example config of my NAT
ip nat inside source static network 192.168.224.0 192.168.238.0 /24 no-payload
11-09-2011 01:23 PM
Hi Dave,
The NAT is translating the network addresses in the header and not the data hence the name. Maybe I have misunderstood your question.
Best regards,
Alex
11-09-2011 01:26 PM
It is re-writing the actual DNS queries returned by the server acting on both the header and the date payload. But the no-payload option doesn’t seem to help.
interface FastEthernet0/0
description Interconnect to FW
ip address 192.168.253.46 255.255.255.252
ip nat outside
ip virtual-reassembly
!
interface FastEthernet0/1
description DMZ subnet
ip address 192.168.224.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip nat inside source static network 192.168.224.0 192.168.238.0 /24 no-payload
11-09-2011 01:34 PM
OK - perhaps I just didn't clear out the existing translations Bad me!
11-09-2011 01:44 PM
Is it working ok now?
Best regards,
Alex
11-09-2011 01:45 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide