Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
275
Views
0
Helpful
2
Replies

anyconnect hairpin dns doctoring

P_Tone ATG
Level 1
Level 1

‎01-26-2016 02:09 PM - edited ‎02-21-2020 08:38 PM

I have Guest interface that I'd like to be able to use AnyConnect from to provide access to the inside network and I'd like to be able to do it without dedicated Guest DNS. I believe the answer to that is DNS doctoring through NAT. However; when I use the ASAs interfaces in a NAT translation with DNS doctoring I get errors stating that the address overlaps with the interface, which is of course true.

What are the NAT rules I need to accomplish this?

ASA 9.1(5)

Labels:
0 Helpful
2 Replies 2

Philip D'Ath
VIP Alumni
VIP Alumni

‎01-26-2016 04:56 PM

Why not create a rule allowing the guest network access to dns on your internal DNS servers (or external).

And you can enable AnyConnect on the guest interface.

0 Helpful

P_Tone ATG
Level 1
Level 1
In response to Philip D'Ath

‎01-27-2016 08:25 AM

External won't work because it points to the outside interface and the ASA can't figure out how to route that from another interaface, I've tried every NAT rule imaginable and I either get a failed to route error or an IP spoofing error. Providing access to internal DNS is possible but I feel like that defeats the purpose of having a separate guest network in the first place.

0 Helpful
Customers Also Viewed These Support Documents