07-18-2007 11:14 PM - edited 03-11-2019 03:46 AM
I will be deploying an ASA5520 very soon and I wanted to find out if the following is possible...and if so, any advice or pointers on the configuration.
I plan to have three security zones:
SERVER_NETWORK 10.0.0.0/24
CLIENT_NETWORK 192.168.100.0/24
PUBLIC_NETWORK 200.200.200.0/24 (obfuscated intentionally)
I will have a server exposed (or NAT'd) from the SERVER_NETWORK to the PUBLIC_NETWORK. Lets say for simplicity, its a web server.
SERVER01 (ip: 10.0.0.10) (External NAT: 200.200.200.10)
Externally, if you resolve "www.mycompanywebsite.com", DNS will return 200.200.200.10.
Is it possible to configure the ASA5520 such that, if a user on the CLIENT_NETWORK resolved that address (200.200.200.10) or browsed to that resouce, they would be able to reach SERVER01 too?
In other words, can I have NAT translations occur on both interfaces, public and client?
I've tried this in the past with a PIX and was told that it couldn't be done. Something about not being able to send traffic out, or looping back in, through an interface that is NAT'ing an address. (that was a long time ago, though)
I've resolved it in the past by running a secondary DNS server for the clients in the CLIENT_NETWORK, that responds with internal addresses instead of the external ones. That is obviously a less than desireable solution because you have to maintain duplicate zone files with different host records. But that isn't an option with this install. I can't do that here.
Any advice? Is this easily overcome now?
Thanks!
-Matt
Solved! Go to Solution.
07-19-2007 12:15 AM
Hi Matt
Yes you can do this, it is called DNS doctoring. Attached is a link to a configuration example of DND doctoring on the ASA.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml
HTH
Jon
07-19-2007 12:15 AM
Hi Matt
Yes you can do this, it is called DNS doctoring. Attached is a link to a configuration example of DND doctoring on the ASA.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml
HTH
Jon
07-19-2007 12:46 AM
Thats perfect Jon.
Thank you.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: