01-26-2016 02:09 PM - edited 02-21-2020 08:38 PM
I have Guest interface that I'd like to be able to use AnyConnect from to provide access to the inside network and I'd like to be able to do it without dedicated Guest DNS. I believe the answer to that is DNS doctoring through NAT. However; when I use the ASAs interfaces in a NAT translation with DNS doctoring I get errors stating that the address overlaps with the interface, which is of course true.
What are the NAT rules I need to accomplish this?
ASA 9.1(5)
01-26-2016 04:56 PM
Why not create a rule allowing the guest network access to dns on your internal DNS servers (or external).
And you can enable AnyConnect on the guest interface.
01-27-2016 08:25 AM
External won't work because it points to the outside interface and the ASA can't figure out how to route that from another interaface, I've tried every NAT rule imaginable and I either get a failed to route error or an IP spoofing error. Providing access to internal DNS is possible but I feel like that defeats the purpose of having a separate guest network in the first place.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide