07-11-2007 02:48 AM - edited 03-09-2019 06:21 PM
We have currently using 3600 routers to do NAT translation at the edge of our network, and these are working fine. We have decided to move this process over to ASA5520's, and are in the process of doing this.
We have one problem though, and it is a major headache. We have our own internal DNS servers, which external sites use to resolve names internal to us. This works when using the routers, but not when using the ASAs.
The problem is that when an external site uses nslookup to resolve a site behind the firewall the reply given is the true IP address of the device rather than the NAT?d entry. We can find several documents on this, but they all tend to refer to having the DNS on the outside of your network.
Any ideas on resolving this would be gratefully appreciated.
07-11-2007 03:21 AM
Hi
DNS inspection should sort his out for you but it should be on by default.
You don't say which version of the software you are running but attached is a link to ASA 7.2 command reference for dns inspect and it's uses.
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i2_72.html#wp1670620
HTH
Jon
07-11-2007 03:53 AM
Hi Jon,
Thanks for reply we are testing it now. the software we are running is 7.2
Thanks,
Mike.
07-11-2007 04:00 AM
Mike
No problem. Let me know how you get on.
Jon
07-11-2007 07:05 AM
Hi Jon,
We have entered the following policy but are still getting the 'real' ip when an outside device queries the internal DNS server:
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
inspect dns
The DNS server has a static NAT translation, as does the particular device we are testing.
e.g.
Static (inside, outside) 10.1.1.1 10.2.2.2 dns
Any ideas?
Mike.
07-11-2007 08:01 AM
Mike,
Have you considered having the server resolve the addresses to the external addresses in the first place?
You could then hairpin users on the inside which would allow them to resolve to the external address as well.
08-09-2007 11:32 PM
We have got the DNS inspection working now, but there does seem that a problem still persists.
People external to use can do successful DNS queries, but the TTL on the DNS entry is not being re-written. So after the NAT entry has expired after 30 minutes they have an invalid resolution.
Can anyone please advise on how to amend the TTL on DNS lookups?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: