02-05-2016 11:09 AM
I found this article on tricking an ASA 5505 to forward DNS requests, in effect making it a DNS server.
http://herdingpackets.net/2014/02/20/faking-an-asa-as-a-dns-forwarder/
object network Google-DNS-8.8.4.4 host 8.8.4.4 nat (outside,inside) static interface service udp domain domain
And I was able to adapt it to do NTP requests, in effect making the ASA act as a NTP server. Now I'm trying to get this to work on another box that has had PAT disabled globally with the following command:
object network obj_any no nat (inside,outside) dynamic interface
On this box it breaks completely. The forwarding trick does not work. There must be another step I am missing to make it work for just for the protocol I want.
02-05-2016 12:00 PM
Why not just let the clients use NTP to a proper NTP server on the Internet? Ditto with DNS?
02-10-2016 05:52 AM
Sometimes you just want to fix the ASA deficiencies rather than continue to work around them.
The nice thing about simply "passing on" requests is you can point it elsewhere in the future by making one change in one place (on the box). If you are using DHCP you use that as a mechanism to push out various values but in an environment where DHCP is not used you either have to configure every single device with the changes OR if everything is pointing at the box, make one change on the box. But that would make life easy. And who would want that lol.
Regardless the question wasn't "do you agree with my doing this?". The question was "do you know how to do this?"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide