cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
318
Views
0
Helpful
2
Replies

Question about NAT redirection

mattg
Level 1
Level 1

I will be deploying an ASA5520 very soon and I wanted to find out if the following is possible...and if so, any advice or pointers on the configuration.

I plan to have three security zones:

SERVER_NETWORK 10.0.0.0/24

CLIENT_NETWORK 192.168.100.0/24

PUBLIC_NETWORK 200.200.200.0/24 (obfuscated intentionally)

I will have a server exposed (or NAT'd) from the SERVER_NETWORK to the PUBLIC_NETWORK. Lets say for simplicity, its a web server.

SERVER01 (ip: 10.0.0.10) (External NAT: 200.200.200.10)

Externally, if you resolve "www.mycompanywebsite.com", DNS will return 200.200.200.10.

Is it possible to configure the ASA5520 such that, if a user on the CLIENT_NETWORK resolved that address (200.200.200.10) or browsed to that resouce, they would be able to reach SERVER01 too?

In other words, can I have NAT translations occur on both interfaces, public and client?

I've tried this in the past with a PIX and was told that it couldn't be done. Something about not being able to send traffic out, or looping back in, through an interface that is NAT'ing an address. (that was a long time ago, though)

I've resolved it in the past by running a secondary DNS server for the clients in the CLIENT_NETWORK, that responds with internal addresses instead of the external ones. That is obviously a less than desireable solution because you have to maintain duplicate zone files with different host records. But that isn't an option with this install. I can't do that here.

Any advice? Is this easily overcome now?

Thanks!

-Matt

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Hi Matt

Yes you can do this, it is called DNS doctoring. Attached is a link to a configuration example of DND doctoring on the ASA.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

HTH

Jon

View solution in original post

2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

Hi Matt

Yes you can do this, it is called DNS doctoring. Attached is a link to a configuration example of DND doctoring on the ASA.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

HTH

Jon

Thats perfect Jon.

Thank you.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: