Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1175
Views
15
Helpful
3
Replies

VPN Guest Network - DNS Rewrite

Go to solution
BlueMCisco
Level 1
Level 1

‎04-30-2013 10:14 AM

Hi,

I have remote access VPN set up on my outside interface. External DNS is pointing vpn.contoso.com to this outside interface. I also have a PAT policy for some of my 'Inside' traffic to use this same outside interface IP address.

I'd like to be able to use vpn.contoso.com from my 'guest' network, which uses external DNS, for VPN connectivity. I have enabled remote access VPN on my 'Guest' interface. I know that I cannot use DNS rewrite on a PAT policy. Is there any other option to allow this to work? Could I possibly create a separate static NAT policy translating my 'Guest' interface IP to my 'Outside' interface IP? If yes, would I need to first remove the PAT policy for my inside traffic?

Thanks,
Blue

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Varinder Singh
Cisco Employee
Cisco Employee

‎04-30-2013 10:40 AM

Hi,

Couple of things.

1. you cannot connect to outside interface VPN coming from Guest interface and You cannot nat outside interface to guest interface. It is not possible.

2. The only way to make it work is to have resolution of vpn.contoso.com to Guest interface for users connected to guest interface.

Hope that answers your query.

Varinder

Regards, Varinder P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users

View solution in original post

3 Replies 3

Go to solution
Varinder Singh
Cisco Employee
Cisco Employee

‎04-30-2013 10:40 AM

Hi,

Couple of things.

1. you cannot connect to outside interface VPN coming from Guest interface and You cannot nat outside interface to guest interface. It is not possible.

2. The only way to make it work is to have resolution of vpn.contoso.com to Guest interface for users connected to guest interface.

Hope that answers your query.

Varinder

Regards, Varinder P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users

Go to solution
BlueMCisco
Level 1
Level 1
In response to Varinder Singh

‎04-30-2013 11:40 AM

Thank you for the quick reply.

The guest network uses public DNS so I'm not sure how that is possible. Is there a way in the ASA to manipulate the DNS response for queries coming from the guest network (other than DNS rewrite)?

FYI, I'm using the ASA 5520.

Thanks,

Blue

0 Helpful

Go to solution
Varinder Singh
Cisco Employee
Cisco Employee
In response to BlueMCisco

‎04-30-2013 12:01 PM

I'm afraid there is no other way to manipulate DNS queries for fqdn to resolve on 2 IP address, One on outside and another on guest interface.  ASA only intercepts for static nat which has dns keyword configured.

the easy way is to have them connect on IP address of guest interface or have another fqdn vpn2.contoso.com to resolve guest interface ip address.

Varinder

Regards, Varinder P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users
Customers Also Viewed These Support Documents