cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2133
Views
0
Helpful
6
Replies

DNS NAT translation

networking
Level 1
Level 1

We have currently using 3600 routers to do NAT translation at the edge of our network, and these are working fine. We have decided to move this process over to ASA5520's, and are in the process of doing this.

We have one problem though, and it is a major headache. We have our own internal DNS servers, which external sites use to resolve names internal to us. This works when using the routers, but not when using the ASAs.

The problem is that when an external site uses nslookup to resolve a site behind the firewall the reply given is the true IP address of the device rather than the NAT?d entry. We can find several documents on this, but they all tend to refer to having the DNS on the outside of your network.

Any ideas on resolving this would be gratefully appreciated.

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

Hi

DNS inspection should sort his out for you but it should be on by default.

You don't say which version of the software you are running but attached is a link to ASA 7.2 command reference for dns inspect and it's uses.

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i2_72.html#wp1670620

HTH

Jon

Hi Jon,

Thanks for reply we are testing it now. the software we are running is 7.2

Thanks,

Mike.

Mike

No problem. Let me know how you get on.

Jon

Hi Jon,

We have entered the following policy but are still getting the 'real' ip when an outside device queries the internal DNS server:

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns

The DNS server has a static NAT translation, as does the particular device we are testing.

e.g.

Static (inside, outside) 10.1.1.1 10.2.2.2 dns

Any ideas?

Mike.

Mike,

Have you considered having the server resolve the addresses to the external addresses in the first place?

You could then hairpin users on the inside which would allow them to resolve to the external address as well.

We have got the DNS inspection working now, but there does seem that a problem still persists.

People external to use can do successful DNS queries, but the TTL on the DNS entry is not being re-written. So after the NAT entry has expired after 30 minutes they have an invalid resolution.

Can anyone please advise on how to amend the TTL on DNS lookups?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: