Question about NAT redirection

Answered Question

I will be deploying an ASA5520 very soon and I wanted to find out if the following is possible...and if so, any advice or pointers on the configuration.

I plan to have three security zones:



PUBLIC_NETWORK (obfuscated intentionally)

I will have a server exposed (or NAT'd) from the SERVER_NETWORK to the PUBLIC_NETWORK. Lets say for simplicity, its a web server.

SERVER01 (ip: (External NAT:

Externally, if you resolve "", DNS will return

Is it possible to configure the ASA5520 such that, if a user on the CLIENT_NETWORK resolved that address ( or browsed to that resouce, they would be able to reach SERVER01 too?

In other words, can I have NAT translations occur on both interfaces, public and client?

I've tried this in the past with a PIX and was told that it couldn't be done. Something about not being able to send traffic out, or looping back in, through an interface that is NAT'ing an address. (that was a long time ago, though)

I've resolved it in the past by running a secondary DNS server for the clients in the CLIENT_NETWORK, that responds with internal addresses instead of the external ones. That is obviously a less than desireable solution because you have to maintain duplicate zone files with different host records. But that isn't an option with this install. I can't do that here.

Any advice? Is this easily overcome now?



I have this problem too.
0 votes
Correct Answer by Jon Marshall about 9 years 3 months ago

Hi Matt

Yes you can do this, it is called DNS doctoring. Attached is a link to a configuration example of DND doctoring on the ASA.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)


This Discussion