DNS issue with ASA 5510

Unanswered Question
Jul 2nd, 2007


I have a problem with DNS resolution with the ASA 5510. The DNS server is inside the LAN (x.y.11.0/24) and MPLS clients are coming from a DMZ segment. There is an MPLS Router between MPLS cloud and ASA, the DMZ is x.y.0.0/24 and DNS server is statically NATted with x.y.0.0 subnet IP. Everything is working fine, except DNS is not resolving the name request coming from MPLS. The request is reaching the DNS server, but while replying the DNS server gives x.y.11.0 IP, which is not crossing the FW. I cannot do the identity NAT for x.y.11.0 IP as we have to make changes in all over MPLS network, which is not feasible as number of locations are more than 100.

If anybody has the workaround, please reply. Thanks in advance.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Fernando_Meza Mon, 07/02/2007 - 22:56

Hi .. let me see if I have got it right ..?

you are basically trying to access a DNS server on your inside LAN from a network locate on the DMZ .. correct ..?

I am assuming that the security of the inside is higher that the DMZ right ..?

you should have a one to one static NAT like this ..

static (inside,dmz) x.y.?.? x.y.11.? netmask

then if you are getting the dns request hitting the DNS server, the issue is more likely that the dns server does not know how to get back to the MPLS segment .. packets from the dns server should be reaching the inside interface of the ASA on its way back to the MPLS cloud .. can you see that happening on the ADSM logs ..?

I hope it helps .. please rate it if it does !!!


This Discussion